Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Are JAXRS restful services prone to CSRF attack when content type negotiation is enabled?

Tags:

rest

web-services

csrf

jax-rs

I have a RESTful API which has annotations like @Consumes(MediaType.JSON) - in that case, would the CSRF attack still be possible on such a service? I've been tinkering with securing my services with CSRFGuard on server side or having a double submit from client side. However when I tried to POST requests using FORM with enctype="text/plain", it didn't work. The technique is explained here This works if I have MediaType.APPLICATION_FORM_URLENCODED in my consumes annotation. The content negotiation is useful when I'm using POST/PUT/DELETE verbs but GET is still accessible which might need looking into.

Any suggestions or inputs would be great, also please let me know if you need more info.

Cheers

like image 558
opensourcegeek Avatar asked Dec 21 '22 21:12

opensourcegeek

1 Answers

JAX-RS is designed to create REST API which is supposed to be stateless. The Cross Site Request Forgery is NOT a problem with stateless applications.

The way Cross Site Request Forgery works is someone may trick you to click on a link or open a link in your browser which will direct you to a site in which you are logged in, for example some online forum. Since you are already logged in on that forum the attacker can construct a url, say something like this: someforum.com/deletethread?id=23454

That forum program, being badly designed will recognize you based on the session cookie and will confirm that you have the capability to delete the thread and will in fact delete that thread.

All because the program authenticated you based on the session cookie (on even based on "remember me" cookie)

With RESTful API there is no cookie, no state is maintaned between requests, so there is no need to protect against session hijacking.

The way you usually authenticate with RESTFul api is be sending some additional headers. If someone tricks you into clicking on a url that points to restful API the browser is not going to send that extra headers, so there is no risk.

In short - if REST API is designed the way it supposed to be - stateless, then there is no risk of cross site forgery and no need to CSRF protection.

like image 140
Dmitri Avatar answered Jan 16 '23 17:01

Dmitri
Sign in to Comment

Related questions

Layered system constraint in REST API
Guaranteed sending of a request to a web service
How to Parse SoapFaultClientException in spring-ws
Use SOAP 1.2 with WebServiceGatewaySupport in Spring
How much extra overhead is generated when sending a file over a web service as a byte array?
Protecting API Secret Keys in a Thick Client application
WCF Duplex Service and TCP Port Exhaustion
Web service variable shared for the lifetime of the webservice?
XML Serialization - Missing Namespace Prefix at client end
Should I go with Tomcat or a full Java EE container?
How do I rename a file using the SharePoint web services?
Java Wrapper to Perl/Python code
Consume REST service with JME (or J2ME)
Jquery DataTables plugin - sAjaxSource
When calling a asmx service via jQuery, how to pass arguments?
Receive (and send) XML via POST with ASP.NET
Where to catch exceptions
Heroku + Logs Command :: Can Logs Detail can be increased at Heroku
Web Service built in C# to retrieve data from mySQL database
RESTful Webservices on Google App Engine

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!