cross-origin requests and asp.net mvc€¦ · a while ago, i wrote an article "asp.net mvc...
TRANSCRIPT
Cross-Origin requests and ASP.NET MVC
We can initiate cross-domain request in our webpage by creating either XMLHttpRequest object or XDomainRequest object. End user's web-browser
will request data from the domain's server by sending an "Origin" header with the value of origin. If server responds with an "Access-Control-Allow-
Origin: * | Origin" then we are permitted to access data; otherwise response will be unauthorized request.
Because we've to handle our server response for allowing cross-origin requests; we'll use BeginRequest event handler in the Global.asax file for
adding "Access-Control-Allow-Origin" header in our response.
whether request's "Origin" header matches with domain-name that we allowed. So server will block unauthorized requests as soon as possible.
There is an open-source ASP.NET MVC tweeting application that allow us make cross-origin (POST) request to get top 10 public tweets. Application
available at: http://dtweet.codeplex.com
For a live demonstration or in-place demo, click here:
http://dashingquill.web.officelive.com/blogs/Javascript/cross-origin-XMLHttpRequest-requests-in-ASP.NET-MVC.htm
http://dashingquill.web.officelive.com/blogs/Javascript/cross-origin-XMLHttpRequest-requests-in-ASP.NET-MVC.htm
Supporting Cross-Browsers
Cross-Origin requests supported on IE6+, Chrome and Firefox web-browsers. For supporting IE web-browsers, I used following two files to handle
cross-browser scenarios:
XMLHttpRequest.js - Open-Source at Github: http://github.com/ilinsky/XMLHttpRequest or http://www.ilinsky.com/articles/XMLHttpRequest/Json2.js by Douglas Crockford - External Link: http://www.JSON.org/json2.js
You must place them before other Javascript files that are using XMLHttpRequest object.
Possible Attacks
Same origin used by web browsers has a most significant protection again attack; however, cross origin requests are mostly vulnerable to attack.
CSRF attack: Cross-Site Request Forgery attack. CSRF interacts with user credentials and do malicious stuff on behalf of the user. It mostly appliedto email accounts.XSS attack: Cross-Site Scripting attack occurs to inject malicious data with POST/GET messages.DNS Rebinding attack is interaction with DNS hostnames and networks address. Hacker injects malicious code and executes it; on the server side;server consider hacker's request as authentic request because hostname matches.Spoofing and re-direction attacks are mostly applied to cross-origin requests because server heavily relies upon HTTP headers to determine whichsite can access resources as well as what action they are permitted to do.
For cross-origin requests' security: "Ensure user authority cannot be misused or compromised".
http://dashingquill.web.officelive.com/blogs/Javascript/cross-origin-XMLHttpRequest-requests-in-ASP.NET-MVC.htm
A while ago, I wrote an article "ASP.NET MVC security and hacking: Defense-in-depth", in which I talked about XSS and CSRF attacks. All of those
attacking techniques also applies to cross-origin requests.
© 2011 Dashing Quill - Muaz Khan - Facebook - Youtube - Career
http://dashingquill.web.officelive.com/blogs/Javascript/cross-origin-XMLHttpRequest-requests-in-ASP.NET-MVC.htm