[CLOSED] Cross-site Request Forgery with DirectMethods

[jchau]

Is there any built-in security prevention for cross-site request forgery when using shared / static DirectMethods? We have an anti-forgery token on every page that we validate against on postbacks. Now with shared / static DirectMethods, it bypass submitting form data so we can't validate that token. I would like a central way to validate against CSRF without modifying all existing DirectMethods to also send the token as a parameter to the method. Maybe somehow always inject the anti-forgery token to the header of the ajax request?

[Dimitris]

Hi,

Maybe you can add the following code to your application. It allows requestID parameter to be sent along the way during directmethod calls.

<head runat="server">
    <title></title>
    <script type="text/javascript">
        var token = 'my token';
        Ext.net.DirectEvent.extraParams = { requestID: token };
    </script>
</head>

Hope it helps.

[geoffrey.mcgill]

By default, in Ext.NET 7.0 for ASP.NET Core, a RequestVerificationToken is passed in all Direct requests and CSRF is now supported out of the box.

Application security has been a priority focus of the new Ext.NET 7.0 release as we continue to focus on reducing security vulnerabilities and promote strong security practices for all apps.