[CLOSED] Cross-site Request Forgery with DirectMethods

  1. #1

    [CLOSED] Cross-site Request Forgery with DirectMethods

    Is there any built-in security prevention for cross-site request forgery when using shared / static DirectMethods? We have an anti-forgery token on every page that we validate against on postbacks. Now with shared / static DirectMethods, it bypass submitting form data so we can't validate that token. I would like a central way to validate against CSRF without modifying all existing DirectMethods to also send the token as a parameter to the method. Maybe somehow always inject the anti-forgery token to the header of the ajax request?
    Last edited by Daniil; Feb 06, 2015 at 2:01 PM. Reason: [CLOSED]
  2. #2

    Maybe you can add the following code to your application. It allows requestID parameter to be sent along the way during directmethod calls.

    <head runat="server">
        <script type="text/javascript">
            var token = 'my token';
            Ext.net.DirectEvent.extraParams = { requestID: token };
    Hope it helps.
  3. #3
    By default, in Ext.NET 7.0 for ASP.NET Core, a RequestVerificationToken is passed in all Direct requests and CSRF is now supported out of the box.

    Application security has been a priority focus of the new Ext.NET 7.0 release as we continue to focus on reducing security vulnerabilities and promote strong security practices for all apps.
    Geoffrey McGill

Similar Threads

  1. [CLOSED] Extending DirectMethod for cross-posting
    By michaeld in forum 2.x Legacy Premium Help
    Replies: 5
    Last Post: Feb 12, 2014, 1:28 PM
  2. Replies: 11
    Last Post: May 23, 2011, 2:33 PM
  3. [CLOSED] DirectMethods.Request+webservice
    By farisqadadeh in forum 1.x Legacy Premium Help
    Replies: 2
    Last Post: May 06, 2011, 8:13 AM
  4. to cross a TreePanel
    By miguelp120 in forum 1.x Help
    Replies: 0
    Last Post: Jan 27, 2010, 6:16 PM
  5. [CLOSED] Tips on preventing Cross Site Scripting (XSS)
    By danielg in forum 1.x Legacy Premium Help
    Replies: 5
    Last Post: Apr 24, 2009, 2:20 PM

Posting Permissions