How can I add a header x-requestdigest (canary to every post request)

Nov 13, 2012 at 5:19 PM

Is there a way to add a canary X-RequestDigest to any post operation on Sharepoint webservices post via SPServices ?

Coordinator
Nov 21, 2012 at 3:33 AM

To be honest, I have no idea.

M.

Dec 6, 2012 at 3:49 PM

sympmarc,
Sharepoint Web Services are susceptible to Cross Site Request Forgery attacks if they do not validate a form digest or can not validate the X-RequestDigest value. Based on the security validation document for Sharepoint http://msdn.microsoft.com/en-us/library/gg552614%28v=office.14%29.aspx#bestpractice_crossrequest
one should be able to attach the X-RequestDigest header to a web service call.  I have however tried adding random values to the X-RequestDigest header and sent requests to sharepoint web services and there has been no validation.

Can anyone validate that they have seen the same behaviour or if there is anything that can be done to prevent CSRF on Sharepoint web services.

Dec 7, 2012 at 1:12 PM

I found a post about it. I'm not sure if you've seen this, but here it is:

http://acveer.wordpress.com/2011/06/22/prevent-csrf-cross-site-request-forgery-attacks-in-sharepoint-application-pages/

It seems like you are writing server side code, not necessarily JavaScript. Is that what you are doing?

 

Cheers,
Matthew