We use cookies to give you the best experience on our website. If you continue to browse, then you agree to our privacy policy and cookie policy.
Unfortunately, activation email could not send to your email. Please try again.

Security feature request - Datamanager XSS, and XRCF Security - attaching an Anti forgery token in the request header for all AJAX requests, from Datamanger.

Thread ID:

Created:

Updated:

Platform:

Replies:

126444 Oct 15,2016 12:39 AM Oct 20,2016 08:36 AM ASP.NET MVC 3
loading
Tags: DataManager
Megatron
Asked On October 15, 2016 12:39 AM

Hi, I need some clarification and help in configuring the datamanager to prevent XSS & XRCF

Does the Syncfusion Datamanager use Jquery behind the scenes when sending data to the server ? 
 I ask because in Angurlar; and other secure apps based on Jquery, usually attach an anti-forgery token

Intercept XMLHttpRequest in using the javascript's native AJAX object, XMLHttpRequest, how can I define a simple interceptor to add token to the header:
(function (send) {
    XMLHttpRequest.prototype.send = function (data) {
        this.setRequestHeader(myAppWithSyncfusionDatamgr.attachAntiForgery.tokenHeaderName, myAppWithSyncfusionDatamgr.attachAntiForgery.getToken());
return send.call(this, data); }; })(XMLHttpRequest.prototype.send);

My question is - if Datamanager is using Jquery, how and where can I attach this function to the Syncfusion code - so that when I send/get data using the datamanger - this request is in the pipeline?

If you already have a mechanism, please help me understand how its being handled

Thanks
Mega

thanks


Kalai Selvi Rajendran [Syncfusion]
Replied On October 18, 2016 01:03 PM

Hi Mega, 

Thanks for using Syncfusion products. 
 
We have analyzed your query, you can able to add the anti-forgery token to the header property of DataManager as below 
 
<code> 
var dataManager = ej.DataManager({ 
            url: "GetData", 
            adaptor: new ej.UrlAdaptor(), 
            headers: [{ 
                token: "12aba676" 
            }] 
        }); 
 
</code> 
 
Data will be fetched from GetData action method and the token will be added with the header request, please refer the screenshot for your reference and we have attached sample. 
 
 Sample: http://www.syncfusion.com/downloads/support/forum/126444/ze/SampleAntiForgery1721904240 

If you have any other questions, please let us know. 

Regards 
Kalai Selvi 


Megatron
Replied On October 19, 2016 03:09 PM

Thanks for sample, remember the tokens are to be random and autogenerated on server side so they cannot be reused, but in your sample its static and can be hijacked easily. This does not prevent the XSS or XCRF sadly.

If you test your controls you will see its easy to hijack.

This seems to be a serious security oversight, anti-XSS token should have been implemented in your ej.webmin, looking at the code I did not find it if was already implemented - can you confirm if it exists or will you make this a request please.
  1. I also recommend you give the developer the option to override/ call it something else other than token, so its not
  2. overwriting other antiforgery tokens
  3. and put it in ej. name space

thanks


 

Kasithangam C [Syncfusion]
Replied On October 20, 2016 08:36 AM

Hi Mega, 
Thanks for your update. 
You can get the dynamically generated token and pass it as a header of DataManager as shown below code: 
<code> 
var forgeryToken = $('[name=__RequestVerificationToken]').val();//get the dynamic token value 
    var dataManager = ej.DataManager({ 
        url: "GetData", 
        adaptor: new ej.UrlAdaptor(), 
        headers: [{ 
            token: forgeryToken 
        }] 
    }); 
</code>  
We have prepared the sample based on your requirement and it is available under the following link: 
Sample: Sample 
Also, you have mentioned that “put it in ej. name space” in your query. Can you please provide more additional details regarding this query? 
Regards, 
Kasithangam

CONFIRMATION

This post will be permanently deleted. Are you sure you want to continue?

Sorry, An error occured while processing your request. Please try again later.

You are using an outdated version of Internet Explorer that may not display all features of this and other websites. Upgrade to Internet Explorer 8 or newer for a better experience.

;