While working on ajax- webservice , most of the time we prefer return value from web service method should be in JSON format . If we expect a web service method to return the value as JSON object then it will display few information about the source code through the __type property. Also this property is additional load for response. We ideally need to avoid this property
Have a look at the below image in which it is returning JSON object which has my custom properties along with __type property.
Here i have used burp suite penetration testing tool to test the loophole in our software. Through fiddler i have got the information about request /response and wanted to hide error message which gets generated from exception. Usually stack trace may allow hackers to retrieve error message which contains code related information by using which hacker can easily find the loophole to hack the function.So when exception arises hacker should not be able to know the information about source code.
Remember, in order to access the web application we don't need to open the site through browser . Jquery/javascript related code will run on browser level .So we should not do any severe validation on client side script. It should be done at server level code.
In the above image , my code is sending __type property value which is exposing my source code information. So I need to avoid that property to be exposed.
Solution:
There might be n number of solutions. My solution is, in the web service method itself return the value in simple JSON string format . On the client side code (jquery) we can convert this string as JSON object for further manipulation of data to display on client side(browser).
Assume i am using Structure to maintain the different kind of data after retrieving from database, never return it as JSON object. It will add __type property . If you are using NewtonSoft library for JSON serialization then you need to follow the following instruction
now returned values will be JSON string .Now in the jquery code you need to convert the JSON string to JSON object for further easiest manipulation of data to display on browser
Assume in success method of ajax in jquery the returned value will be present under object.d. Here object is any variable name. but d is JSON schema
Now you need to convert the JSON string to JSON object as follows.
/*Here rest of the code for ajax such as data, request type,error etc*/
success: function(res)
{
var items = res.d;
in the above code jQuery.parseJSON(JSON_string) will convert the json string to json object so that we can use the object for further usage in jquery code
Also if we want to retrieve JSON object from server side code itself then the return type of websevice method should not be of public type,In the class which contains web service method , we need to call protected default constructor.
hope this may help someone.
thanks
pradeepa achar
Have a look at the below image in which it is returning JSON object which has my custom properties along with __type property.
Here i have used burp suite penetration testing tool to test the loophole in our software. Through fiddler i have got the information about request /response and wanted to hide error message which gets generated from exception. Usually stack trace may allow hackers to retrieve error message which contains code related information by using which hacker can easily find the loophole to hack the function.So when exception arises hacker should not be able to know the information about source code.
Remember, in order to access the web application we don't need to open the site through browser . Jquery/javascript related code will run on browser level .So we should not do any severe validation on client side script. It should be done at server level code.
In the above image , my code is sending __type property value which is exposing my source code information. So I need to avoid that property to be exposed.
Solution:
There might be n number of solutions. My solution is, in the web service method itself return the value in simple JSON string format . On the client side code (jquery) we can convert this string as JSON object for further manipulation of data to display on client side(browser).
Assume i am using Structure to maintain the different kind of data after retrieving from database, never return it as JSON object. It will add __type property . If you are using NewtonSoft library for JSON serialization then you need to follow the following instruction
- Assume you have created a structure(STRUCT keyword) to hold the returned values from database of different datatypes .
- Now you have retrieved the value from database and added to structure object, let's say resItems
- now you have to return as JSON serialized string as return new JavaScriptSerializer().Serialize(resItems);
- The webservice method's return type should be string data type
public string getMydata(parm1,param2)
{
/*your code to retreive value form database*/
/* retrieved values will be saved in resItems object*/
return new JavaScriptSerializer().Serialize(resItems);
}
now returned values will be JSON string .Now in the jquery code you need to convert the JSON string to JSON object for further easiest manipulation of data to display on browser
Assume in success method of ajax in jquery the returned value will be present under object.d. Here object is any variable name. but d is JSON schema
Now you need to convert the JSON string to JSON object as follows.
/*Here rest of the code for ajax such as data, request type,error etc*/
success: function(res)
{
var items = res.d;
items=jQuery.parseJSON(items);
}in the above code jQuery.parseJSON(JSON_string) will convert the json string to json object so that we can use the object for further usage in jquery code
Also if we want to retrieve JSON object from server side code itself then the return type of websevice method should not be of public type,In the class which contains web service method , we need to call protected default constructor.
hope this may help someone.
thanks
pradeepa achar
Comments