Comments on: Improving jQuery’s JSON performance and security http://encosia.com/improving-jquery-json-performance-and-security/ ASP.NET and AJAX code, ideas, and examples. Thu, 02 Feb 2012 19:50:46 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Dave Ward http://encosia.com/improving-jquery-json-performance-and-security/#comment-41822 Dave Ward Mon, 24 Jan 2011 15:51:45 +0000 http://encosia.com/?p=886#comment-41822 At the ASP.NET level, ASMX services are subject to the same authorization rules that ASPX pages are. If an unauthenticated user tries to directly request a service that's secured via web.config, ASP.NET will automatically return a 401 response. In terms of the security that ASP.NET provides, there aren't any extra precautions specific to ASMX. You should still be mindful of the potential for cross-site request forgery. That's not unique to ASMX or web services, but is too often overlooked. At the ASP.NET level, ASMX services are subject to the same authorization rules that ASPX pages are. If an unauthenticated user tries to directly request a service that’s secured via web.config, ASP.NET will automatically return a 401 response. In terms of the security that ASP.NET provides, there aren’t any extra precautions specific to ASMX.

You should still be mindful of the potential for cross-site request forgery. That’s not unique to ASMX or web services, but is too often overlooked.

]]> By: Abhijeet http://encosia.com/improving-jquery-json-performance-and-security/#comment-41821 Abhijeet Mon, 24 Jan 2011 13:16:02 +0000 http://encosia.com/?p=886#comment-41821 Hi Dave, I have created a sample app to call a webmethod using jquery's ajax method. I work in finance domain and i would like to know if what i have coded is secured from any attacks. What needs to be done to make this more secured. Any help will be appreciated. Below is the sample code- ASP.NET page- <pre lang="javascript"> function ddlChange() { var params ='{selectedItem:'+ $("#DropDownList1 option:selected").val() +'}'; $.ajax( { type: "POST", url: "Customer.asmx/GetCustData", data: params, contentType: "application/json; charset=utf-8", dataType: "json", success: function(msg) { var items = msg.d; if ($(items).length > 0) { $("#lblCustName").text(items.name); $("#lblCustAddr").text(items.address); } else { alert("No records found"); } }, error: function(XMLHttpRequest, textStatus, errorThrown) { alert(textStatus); } }); } </pre> Web services- <pre lang="csharp"> [WebMethod] [ScriptMethod(ResponseFormat = ResponseFormat.Json)] public CustomerData GetCustData(string selectedItem) { try { CustomerData cust = new CustomerData(); if (selectedItem.Equals("1")) { cust.name = "Jake"; cust.address = "NJ"; } else { cust.name = "Roger"; cust.address = "CA"; } return cust; } catch (Exception ex) { throw ex; } } </pre> Hi Dave,
I have created a sample app to call a webmethod using jquery’s ajax method. I work in finance domain and i would like to know if what i have coded is secured from any attacks. What needs to be done to make this more secured. Any help will be appreciated.
Below is the sample code-

ASP.NET page-

 
 
 
 
 
 
 
    function ddlChange() {
 
        var params ='{selectedItem:'+ $("#DropDownList1 option:selected").val() +'}';
 
 
        $.ajax(
 
    {
 
        type: "POST",
 
        url: "Customer.asmx/GetCustData",
 
        data: params,
 
        contentType: "application/json; charset=utf-8",
 
        dataType: "json",
 
        success: function(msg) {           
            var items = msg.d;           
 
            if ($(items).length > 0) {
                $("#lblCustName").text(items.name);
                $("#lblCustAddr").text(items.address);
            }
            else {
                alert("No records found");
            }
 
        },
        error: function(XMLHttpRequest, textStatus, errorThrown) {
 
            alert(textStatus);
 
        }
 
    });
 
    }

Web services-

 
[WebMethod]
        [ScriptMethod(ResponseFormat = ResponseFormat.Json)]
        public CustomerData GetCustData(string selectedItem)
        {
            try
            {
                CustomerData cust = new CustomerData();
 
                if (selectedItem.Equals("1"))
                {
                    cust.name = "Jake";
                    cust.address = "NJ";
                }
                else
                {
                    cust.name = "Roger";
                    cust.address = "CA";
                }
                return cust;
 
            }
            catch (Exception ex)
            {
                throw ex;
            }
 
        }
]]> By: deef http://encosia.com/improving-jquery-json-performance-and-security/#comment-38589 deef Wed, 28 Apr 2010 14:56:19 +0000 http://encosia.com/?p=886#comment-38589 Sorry for that last comment, I just found the solution on this post: http://encosia.com/2009/07/21/simplify-calling-asp-net-ajax-services-from-jquery/ Basically you just need to set the dataType to 'html' or 'text'. Sorry for that last comment, I just found the solution on this post: http://encosia.com/2009/07/21/simplify-calling-asp-net-ajax-services-from-jquery/
Basically you just need to set the dataType to ‘html’ or ‘text’.

]]> By: deef http://encosia.com/improving-jquery-json-performance-and-security/#comment-38588 deef Wed, 28 Apr 2010 14:52:12 +0000 http://encosia.com/?p=886#comment-38588 With the release of jQuery 1.4, above dataFilter causes jQuery to fail when the returned data is a string. jQuery parses the JSON data that is returned, but it first call the dataFilter callback. If your dataFilter callback already parse the data and extracts the .d property, which happens to be a string, then you never get to the success callback. code from jQuery ... // Allow a pre-filtering function to sanitize the response // s is checked to keep backwards compatibility if ( s && s.dataFilter ) { data = s.dataFilter( data, type ); } // The filter can actually parse the response if ( typeof data === "string" ) { // Get the JavaScript object, if JSON is used. if ( type === "json" || !type && ct.indexOf("json") >= 0 ) { data = jQuery.parseJSON( data ); // If the type is "script", eval it in global context } else if ( type === "script" || !type && ct.indexOf("javascript") >= 0 ) { jQuery.globalEval( data ); } } ... With the release of jQuery 1.4, above dataFilter causes jQuery to fail when the returned data is a string. jQuery parses the JSON data that is returned, but it first call the dataFilter callback. If your dataFilter callback already parse the data and extracts the .d property, which happens to be a string, then you never get to the success callback.

code from jQuery

// Allow a pre-filtering function to sanitize the response
// s is checked to keep backwards compatibility
if ( s && s.dataFilter ) {
data = s.dataFilter( data, type );
}

// The filter can actually parse the response
if ( typeof data === “string” ) {
// Get the JavaScript object, if JSON is used.
if ( type === “json” || !type && ct.indexOf(“json”) >= 0 ) {
data = jQuery.parseJSON( data );

// If the type is “script”, eval it in global context
} else if ( type === “script” || !type && ct.indexOf(“javascript”) >= 0 ) {
jQuery.globalEval( data );
}
}

]]> By: Dave Ward http://encosia.com/improving-jquery-json-performance-and-security/#comment-36722 Dave Ward Mon, 12 Oct 2009 13:00:08 +0000 http://encosia.com/?p=886#comment-36722 It is safe, as long as you secure any services that are sensitive. You can use .NET authorization on ASMX the same as you would on ASPX. As long as you don't trust the client too much, a user finding the service's URL isn't any more dangerous than them knowing the ASPX page's URL. For example, if you were building an AJAX shopping cart, you shouldn't ever accept a price from the client-side. Instead, you should always accept a product ID and retrieve its price from a secure, server-side data store (probably a database). That way, even if the user does find the service URL and figure out how to manually POST to it, the "worst" they can do is add legitimate items to their cart at full price. It is safe, as long as you secure any services that are sensitive. You can use .NET authorization on ASMX the same as you would on ASPX.

As long as you don’t trust the client too much, a user finding the service’s URL isn’t any more dangerous than them knowing the ASPX page’s URL.

For example, if you were building an AJAX shopping cart, you shouldn’t ever accept a price from the client-side. Instead, you should always accept a product ID and retrieve its price from a secure, server-side data store (probably a database). That way, even if the user does find the service URL and figure out how to manually POST to it, the “worst” they can do is add legitimate items to their cart at full price.

]]> By: Michael http://encosia.com/improving-jquery-json-performance-and-security/#comment-36648 Michael Wed, 07 Oct 2009 01:38:24 +0000 http://encosia.com/?p=886#comment-36648 Hi, I have seen a lot of demos using Json to call WebServices, but it's safe? I mean if you can see the code behind, you easily can see where is the WebServices Located. There is any way to encript the WebServices URL? Thanks Hi, I have seen a lot of demos using Json to call WebServices, but it’s safe? I mean if you can see the code behind, you easily can see where is the WebServices Located. There is any way to encript the WebServices URL?

Thanks

]]> By: » Improving jQuery’s JSON performance and security | Encosia - Yee Torrents News 4 http://encosia.com/improving-jquery-json-performance-and-security/#comment-36535 » Improving jQuery’s JSON performance and security | Encosia - Yee Torrents News 4 Thu, 24 Sep 2009 07:53:35 +0000 http://encosia.com/?p=886#comment-36535 [...] Source:Improving jQuery’s JSON performance and security | Encosia [...] [...] Source:Improving jQuery’s JSON performance and security | Encosia [...]

]]> By: Dave Ward http://encosia.com/improving-jquery-json-performance-and-security/#comment-36414 Dave Ward Thu, 10 Sep 2009 04:26:09 +0000 http://encosia.com/?p=886#comment-36414 If you set a dataFilter in $.ajaxSetup, it will apply to those shortcut methods. See this post for an example of doing that: http://encosia.com/2009/07/21/simplify-calling-asp-net-ajax-services-from-jquery/ If you set a dataFilter in $.ajaxSetup, it will apply to those shortcut methods. See this post for an example of doing that: http://encosia.com/2009/07/21/simplify-calling-asp-net-ajax-services-from-jquery/

]]> By: Chas Sforza http://encosia.com/improving-jquery-json-performance-and-security/#comment-36413 Chas Sforza Wed, 09 Sep 2009 23:49:00 +0000 http://encosia.com/?p=886#comment-36413 Well presented! Thanks! Any way to apply this sort of filter when using get() or getJSON()? Thanks again! Chas Well presented! Thanks!

Any way to apply this sort of filter when using get() or getJSON()?

Thanks again!

Chas

]]> By: Oliver http://encosia.com/improving-jquery-json-performance-and-security/#comment-36154 Oliver Tue, 11 Aug 2009 22:31:28 +0000 http://encosia.com/?p=886#comment-36154 Safari 4.0.3 supports native JSON Safari 4.0.3 supports native JSON

]]> By: flym http://encosia.com/improving-jquery-json-performance-and-security/#comment-36084 flym Fri, 07 Aug 2009 06:34:18 +0000 http://encosia.com/?p=886#comment-36084 I find it in www.json.com/json2.js but I think I won't use it if I must import one more js file,unless the browser help to do. I find it in http://www.json.com/json2.js
but I think I won’t use it if I must import one more js file,unless the browser help to do.

]]> By: flym http://encosia.com/improving-jquery-json-performance-and-security/#comment-36083 flym Fri, 07 Aug 2009 06:28:21 +0000 http://encosia.com/?p=886#comment-36083 I find my browser has not support it now,may wait for a while. btw:The most time,the server must keep the json returned sefely to be used. I find my browser has not support it now,may wait for a while.
btw:The most time,the server must keep the json returned sefely to be used.

]]> By: Creating a Webservice Proxy with jQuery « Life of a geek and a part-time poet http://encosia.com/improving-jquery-json-performance-and-security/#comment-36027 Creating a Webservice Proxy with jQuery « Life of a geek and a part-time poet Sun, 02 Aug 2009 12:59:32 +0000 http://encosia.com/?p=886#comment-36027 [...] Improving jQuery’s JSON performance and security [...] [...] Improving jQuery’s JSON performance and security [...]

]]> By: Techwave » Blog Archive » jQuery FTW (August 1) http://encosia.com/improving-jquery-json-performance-and-security/#comment-36023 Techwave » Blog Archive » jQuery FTW (August 1) Sat, 01 Aug 2009 23:17:53 +0000 http://encosia.com/?p=886#comment-36023 [...] Improving jQuery JSON Performance and Security - An interesting article about expanding jQuery to notice if the browser supports JSON parsing natively. [...] [...] Improving jQuery JSON Performance and Security – An interesting article about expanding jQuery to notice if the browser supports JSON parsing natively. [...]

]]> By: Jon http://encosia.com/improving-jquery-json-performance-and-security/#comment-35996 Jon Tue, 28 Jul 2009 21:13:54 +0000 http://encosia.com/?p=886#comment-35996 Ah right ok. That's not a problem really. Cheers Dave Ah right ok. That’s not a problem really.

Cheers Dave

]]>