We use cookies to give you the best experience on our website. If you continue to browse, then you agree to our privacy policy and cookie policy. Image for the cookie policy date

Security feature request - Datamanager XSS, and XRCF Security - attaching an Anti forgery token in the request header for all AJAX requests, from Datamanger.

Hi, I need some clarification and help in configuring the datamanager to prevent XSS & XRCF

Does the Syncfusion Datamanager use Jquery behind the scenes when sending data to the server ? 
 I ask because in Angurlar; and other secure apps based on Jquery, usually attach an anti-forgery token

Intercept XMLHttpRequest in using the javascript's native AJAX object, XMLHttpRequest, how can I define a simple interceptor to add token to the header:
(function (send) {
    XMLHttpRequest.prototype.send = function (data) {
        this.setRequestHeader(myAppWithSyncfusionDatamgr.attachAntiForgery.tokenHeaderName, myAppWithSyncfusionDatamgr.attachAntiForgery.getToken());
return send.call(this, data); }; })(XMLHttpRequest.prototype.send);

My question is - if Datamanager is using Jquery, how and where can I attach this function to the Syncfusion code - so that when I send/get data using the datamanger - this request is in the pipeline?

If you already have a mechanism, please help me understand how its being handled

Thanks
Mega

thanks


3 Replies

KS Kalai Selvi Rajendran Syncfusion Team October 18, 2016 05:03 PM UTC

Hi Mega, 

Thanks for using Syncfusion products. 
 
We have analyzed your query, you can able to add the anti-forgery token to the header property of DataManager as below 
 
<code> 
var dataManager = ej.DataManager({ 
            url: "GetData", 
            adaptor: new ej.UrlAdaptor(), 
            headers: [{ 
                token: "12aba676" 
            }] 
        }); 
 
</code> 
 
Data will be fetched from GetData action method and the token will be added with the header request, please refer the screenshot for your reference and we have attached sample. 
 
 Sample: http://www.syncfusion.com/downloads/support/forum/126444/ze/SampleAntiForgery1721904240 

If you have any other questions, please let us know. 

Regards 
Kalai Selvi 



ME Megatron October 19, 2016 07:09 PM UTC

Thanks for sample, remember the tokens are to be random and autogenerated on server side so they cannot be reused, but in your sample its static and can be hijacked easily. This does not prevent the XSS or XCRF sadly.

If you test your controls you will see its easy to hijack.

This seems to be a serious security oversight, anti-XSS token should have been implemented in your ej.webmin, looking at the code I did not find it if was already implemented - can you confirm if it exists or will you make this a request please.
  1. I also recommend you give the developer the option to override/ call it something else other than token, so its not
  2. overwriting other antiforgery tokens
  3. and put it in ej. name space

thanks


 


KC Kasithangam C Syncfusion Team October 20, 2016 12:36 PM UTC

Hi Mega, 
Thanks for your update. 
You can get the dynamically generated token and pass it as a header of DataManager as shown below code: 
<code> 
var forgeryToken = $('[name=__RequestVerificationToken]').val();//get the dynamic token value 
    var dataManager = ej.DataManager({ 
        url: "GetData", 
        adaptor: new ej.UrlAdaptor(), 
        headers: [{ 
            token: forgeryToken 
        }] 
    }); 
</code>  
We have prepared the sample based on your requirement and it is available under the following link: 
Sample: Sample 
Also, you have mentioned that “put it in ej. name space” in your query. Can you please provide more additional details regarding this query? 
Regards, 
Kasithangam

Loader.
Up arrow icon