I am building a web service that exclusively uses JSON for its request and response content (i.e., no form encoded payloads).
Is a web service vulnerable to CSRF attack if the following are true?
-
Any
POST
request without a top-level JSON object, e.g.,{"foo":"bar"}
, will be rejected with a 400. For example, aPOST
request with the content42
would be thus rejected. -
Any
POST
request with a content-type other thanapplication/json
will be rejected with a 400. For example, aPOST
request with content-typeapplication/x-www-form-urlencoded
would be thus rejected. -
All GET requests will be Safe, and thus not modify any server-side data.
-
Clients are authenticated via a session cookie, which the web service gives them after they provide a correct username/password pair via a POST with JSON data, e.g.
{"username":"user@example.com", "password":"my password"}
.
Ancillary question: Are PUT
and DELETE
requests ever vulnerable to CSRF? I ask because it seems that most (all?) browsers disallow these methods in HTML forms.
EDIT: Added item #4.
EDIT: Lots of good comments and answers so far, but no one has offered a specific CSRF attack to which this web service is vulnerable.
Best Answer
Forging arbitrary CSRF requests with arbitrary media types is effectively only possible with XHR, because a form’s method is limited to GET and POST and a form’s POST message body is also limited to the three formats
application/x-www-form-urlencoded
,multipart/form-data
, andtext/plain
. However, with the form data encodingtext/plain
it is still possible to forge requests containing valid JSON data.So the only threat comes from XHR-based CSRF attacks. And those will only be successful if they are from the same origin, so basically from your own site somehow (e. g. XSS). Be careful not to mistake disabling CORS (i.e. not setting Access-Control-Allow-Origin: *) as a protection. CORS simply prevents clients from reading the response. The whole request is still sent and processed by the server.