How to prevent any possible CSRF attack on my Public WCF soap Service ?
i know that the main solution is by using a CSRF Token , but how i can achieve that ?
hopefully some one give me idea , or at least to tell me that WCF cannot be CSRF attacked.
Asked
Active
Viewed 1,073 times
2
-
A WCF service is not usable from a browser. Therefore there is no scope for this kind of attack to take place. – tom redfern May 17 '16 at 12:15
-
1@TomRedfern: That's not true: https://msdn.microsoft.com/en-us/library/bb924552(v=vs.110).aspx – SilverlightFox May 17 '16 at 12:48
-
@SilverlightFox - I would appear to stand corrected! – tom redfern May 17 '16 at 13:21
-
1i think CSRF with AJAX would be applied if i am using Cookies for security like basic auth. , right ? – Ahmad Abu-Hamideh May 18 '16 at 08:51
1 Answers
3
Yes, CSRF applies to WCF if you have enabled AJAX support for your service.
A quick and easy way to mitigate is to set a check a custom header such as the X-Requested-With request header. These headers cannot be passed cross-domain without CORS being enabled.
To further strengthen this solution, you could also set a token per session and then pass this in the header also. See this answer. This would mitigate vulnerabilities in browser plugins such as Flash and Silverlight where the former had previously suffered from a bug which allowed arbitrary headers to be set cross-domain that shouldn't be allowed otherwise.
Community
- 1
- 1
SilverlightFox
- 28,804
- 10
- 63
- 132
-
Thanks , but what if i am not using AspNetCompatibility mode , and i dont need sessions , how i could apply the Token per session ? – Ahmad Abu-Hamideh May 18 '16 at 08:44
-
Please could you update your question with some more details on your application and architecture? e.g. what are the clients for your service because non web-browsers do not need CSRF protection, and if sessions are not used then why do you need CSRF protection? – SilverlightFox May 18 '16 at 08:53
-
actually , the idea of my services to be public separated services that requested cross different domains , so each app will ask to connect to this service via Username and Password that may be sent by the Soap Header. so there is no sessions to be applied here . – Ahmad Abu-Hamideh May 18 '16 at 08:57
-
and why i am asking for CSRF ? , is just wondering if it will raise any risk in my Case . – Ahmad Abu-Hamideh May 18 '16 at 08:58
-
If you are passing username and password as a request header, then this intrinsically protects your API against CSRF. This is because any malicious cross-site request does not know these credentials, and therefore cannot add them to the request. CSRF protection is mainly mitigating against authorisation via cookies that are automatically submitted by the browser. As a side, it is probably better to use a token rather than to pass the username and password each time. – SilverlightFox May 18 '16 at 09:04