Monday, September 27, 2010

SharePoint–Preventing CSRF using dynamic canary

As you are aware SharePoint uses a FormDigest to prevent common CSRF attacks.

A Good article on SharePoint XSS and AllowUnsafeUpdates can be found here.

In a relatively obscure scenario you may want to call a SharePoint page asynchronously using AJAX. If so you will want to prevent CSRF attack on the target page and call SPUtility.ValidateFormDigest. But how to provide form digest to this page?

Simple! Just add a __RequestDigest variable to the Post request and call the TargetPage. Don’t forget to include a formdigest control on the TargetPage though or inherit from SharePoint master page.

var canaryValue = document.getElementById('__REQUESTDIGEST').value;
request.Send("__REQUESTDIGEST" +canaryValue+someFormData)
This code is assuming you are making the AJAX call from a SharePoint page which already includes a RequestDigest field and you can use this value to post to the Target Page.


Another method to get the request digest is to call GetUpdatedFormDigestInformation method on Sites.asmx webservice.


As an alternative of sending RequestDigest field in the Post Data, you can set the X-RequestDigest header on the web request to the Request Digest value and validate the FormDigest on Target (Couldn’t get it work for the ASPX pages. Works for WebService I believe).

request.SetRequestHeader("X-RequestDigest", canaryValue); 

Author : Sandeep Rawat // 12:51 AM
Category:

0 comments:

 

Google Analytics

Popular Posts

Powered by Blogger.