[CLOSED] Cross-site Request Forgery with DirectMethods

  1. #1

    [CLOSED] Cross-site Request Forgery with DirectMethods

    Is there any built-in security prevention for cross-site request forgery when using shared / static DirectMethods? We have an anti-forgery token on every page that we validate against on postbacks. Now with shared / static DirectMethods, it bypass submitting form data so we can't validate that token. I would like a central way to validate against CSRF without modifying all existing DirectMethods to also send the token as a parameter to the method. Maybe somehow always inject the anti-forgery token to the header of the ajax request?
    Last edited by Daniil; Feb 06, 2015 at 1:01 PM. Reason: [CLOSED]
  2. #2
    Hi,

    Maybe you can add the following code to your application. It allows requestID parameter to be sent along the way during directmethod calls.

    <head runat="server">
        <title></title>
        <script type="text/javascript">
            var token = 'my token';
            Ext.net.DirectEvent.extraParams = { requestID: token };
        </script>
    </head>
    Hope it helps.
  3. #3
    By default, in Ext.NET 7.0 for ASP.NET Core, a RequestVerificationToken is passed in all Direct requests and CSRF is now supported out of the box.

    Application security has been a priority focus of the new Ext.NET 7.0 release as we continue to focus on reducing security vulnerabilities and promote strong security practices for all apps.
    Geoffrey McGill
    Founder

Similar Threads

  1. [CLOSED] Extending DirectMethod for cross-posting
    By michaeld in forum 2.x Legacy Premium Help
    Replies: 5
    Last Post: Feb 12, 2014, 12:28 PM
  2. Replies: 11
    Last Post: May 23, 2011, 1:33 PM
  3. [CLOSED] DirectMethods.Request+webservice
    By farisqadadeh in forum 1.x Legacy Premium Help
    Replies: 2
    Last Post: May 06, 2011, 7:13 AM
  4. to cross a TreePanel
    By miguelp120 in forum 1.x Help
    Replies: 0
    Last Post: Jan 27, 2010, 5:16 PM
  5. [CLOSED] Tips on preventing Cross Site Scripting (XSS)
    By danielg in forum 1.x Legacy Premium Help
    Replies: 5
    Last Post: Apr 24, 2009, 1:20 PM

Posting Permissions