[CLOSED] Cross-site Request Forgery with DirectMethods

  1. #1

    [CLOSED] Cross-site Request Forgery with DirectMethods

    Is there any built-in security prevention for cross-site request forgery when using shared / static DirectMethods? We have an anti-forgery token on every page that we validate against on postbacks. Now with shared / static DirectMethods, it bypass submitting form data so we can't validate that token. I would like a central way to validate against CSRF without modifying all existing DirectMethods to also send the token as a parameter to the method. Maybe somehow always inject the anti-forgery token to the header of the ajax request?
    Last edited by Daniil; Feb 06, 2015 at 1:01 PM. Reason: [CLOSED]
  2. #2
    Hi,

    Maybe you can add the following code to your application. It allows requestID parameter to be sent along the way during directmethod calls.

    <head runat="server">
        <title></title>
        <script type="text/javascript">
            var token = 'my token';
            Ext.net.DirectEvent.extraParams = { requestID: token };
        </script>
    </head>
    Hope it helps.

Similar Threads

  1. [CLOSED] Extending DirectMethod for cross-posting
    By michaeld in forum 2.x Premium Help
    Replies: 5
    Last Post: Feb 12, 2014, 12:28 PM
  2. Replies: 11
    Last Post: May 23, 2011, 1:33 PM
  3. [CLOSED] DirectMethods.Request+webservice
    By farisqadadeh in forum 1.x Premium Help
    Replies: 2
    Last Post: May 06, 2011, 7:13 AM
  4. to cross a TreePanel
    By miguelp120 in forum 1.x Help
    Replies: 0
    Last Post: Jan 27, 2010, 5:16 PM
  5. [CLOSED] Tips on preventing Cross Site Scripting (XSS)
    By danielg in forum 1.x Premium Help
    Replies: 5
    Last Post: Apr 24, 2009, 1:20 PM

Posting Permissions