All geek questions in one place

What does {"d": ""} mean in an asp.net webservice response

I created a simple C # asp.net web service function that returns a string message
and I call it from the page using jquery ajax.

FROM#:

[WebMethod] [ScriptMethod(ResponseFormat = ResponseFormat.Json)] public string HelloWorld() { return DateTime.Now.ToString(); }


JS:

  $(document).ready(function() { //alert("ready"); $.ajax({ type: "POST", contentType: "application/json; chatset=utf-8", url: "WebService2.asmx/HelloWorld", data: "{}", dataType: "json", success: function(msg) { //alert(msg); //doesnt works alert(msg.d); } }); });

My question is: why alert(msg); does not work

+6
source share
2 answers

This is a security hardening mechanism.

Essentially, it helps protect against CSRF attacks when an attacker reads a JavaScript array (downloaded as Json) from the victimโ€™s website. They can do this by overriding the JavaScript Array type. d causes the returned Json not to be an array, and thus turns the array into uselessness for an attacker.

See this wonderful blog post: http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx

+9
source

ASP.NET and WCF JSON service endpoints actually migrate their JSON to an object with the "d" property to bypass the subtle potential security error when using JSON

Phil Haack post on this: http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx

This was introduced from ASP.NET3.5. If you want msg work in both environments before and after 3.5, just try this little hack.

 var data = msg.hasOwnProperty("d") ? msg.d : msg;

Courtesy of Dave Ward: Never worry about ASP.NET AJAXs.d again

+6
source

Source: https://habr.com/ru/post/896106/

More articles:


All Articles