JSON API and CSRF

Asked 22/2, 2018 at 1:6 Answered 29/3, 2018 at 17:47

I'm developing a web API. authentication is through cookies. All endpoints receive parameters through JSON in the request body.

Do I need to implement a CSRF token to protect them? How can this be exploitable? Is it possible to send JSON through a normal <form> element?

Is it possible for an attacker to have something like this?

<form type="application/json" method="POST">
     <input name="json" value="{ my json code here }">
     <input type="submit">Send</input>
<form>

Cox answered 22/2, 2018 at 1:6 Comment(1)

Does this answer your question? Are JSON web services vulnerable to CSRF attacks? – Canto 15/11, 2021 at 6:22

Firstly, you have to secure your API to avoid HTML/JavaScript injections that can cause CSRF attacks on OTHER sites. To do it:

use HTTPS for all communications to avoid MITM attacks
sanitize all income data to prevent HTML/JavaScript/SQL/LDAP/Command/... injections. You can also use web application firewall or WAF that prevents different types of attacks.
Use HTTP headers:

X-XSS-Protection "1; mode=block" - this header enables the Cross-site scripting (XSS) filter built into most recent web browsers.

Content-Security-Policy - this header tells the browser that it can only communicate with the domains you explicitly allow.

In case your API provides any sensitive information than use CSRF token to avoid CSRF attacks on YOUR API. The CSRF attack to your API can be done for example by injected JavaScript to another website. In this case the injection can make correct AJAX request.

Palatial answered 22/3, 2018 at 23:53 Comment(1)

Thank you for your answer, but its a "generic" answer, and do not answer specifically my question. is my current implementation (regarding only CSRF attacks) secure? Why yes? Why no? How can it be exploitable? – Cox 23/3, 2018 at 12:13

there's no attribute named type for HTML forms. The closest attribute is enctype, and you can find it's reference here. The only valid values for the attribute are:

-application/x-www-form-urlencoded, the default. All characters are encoded before sent (spaces are converted to "+" symbols, and special characters are converted to ASCII HEX values)

-multipart/form-data, No characters are encoded. This value is required when you are using forms that have a file upload control.

-text/plain Spaces are converted to "+" symbols, but no special characters are encoded.

Therefore a simple form can not submit a valid JSON payload.

Tantalite answered 29/3, 2018 at 17:47 Comment(2)

It is possible to do perform a CSRF attack through Flash: blog.appsecco.com/… but recent browsers seems to be protected recently against this: bugzilla.mozilla.org/show_bug.cgi?id=1436241 – Longfaced 5/9, 2019 at 15:46

Can't we use a script a submit a valid json payload? – Topmast 25/8, 2021 at 1:25

CSRF Token is a must, maybe you can add some hash based on the value and match it later, and you might be want to consider using ajax to send the value rather than put it inside an input, since JSON often have double quotes lie value="{name:""}" and that will make the HTML become invalid.

Jameljamerson answered 29/3, 2018 at 4:21 Comment(2)

"All endpoints receive parameters through JSON in the request body". So, there is no input, i just wondering if my current system could be exploitable. Why CSRF Token is a must in my case? If I don't do anything, how can be explitable? – Cox 29/3, 2018 at 4:57

Your premise is wrong. You receive JSON in the request body, so you have input that can be compromised. An attacker can spoof the form with malicious JSON content and could bring an authenticated person to use the compromised form, effectively sending the JSON with that users permissions. So yes, you want CSRF. Ideally you would also apply an HMAC to the JSON if possible. – Olnek 29/3, 2018 at 10:56

Recommended topics

Hot tags