O'Reilly logo
  • Jonas Rafling thinks this is interesting:

Though it is somewhat complex, all you really need to know to avoid this vulnerability is that you should never return data from a GET request that you would not want shared with the world. Therefore, ASP.NET MVC makes you deliberately opt in to delivering JSON data through this insecure way when you are returning publicly accessible (nonsensitive) data by leveraging the JsonRequestBehavior.AllowGet option.

In scenarios where you need to transmit sensitive information via a JSON response, you can protect yourself from this vulnerability by restricting access to your controller method to HTTP


Cover of Programming ASP.NET MVC 4


Remember to restrict JSON access with [HttpPost] if it is sensitive.