0

I'm getting the following error returned intermittently from my several of my controllers:

"This request has been blocked because sensitive information could be disclosed to third party web sites when this is used in a GET request. To allow GET requests, set JsonRequestBehavior to AllowGet."

But in the return statement I do set JsonRequestBehavior to AllowGet

return Json(new {Success = true, Plan = populatedPlan}, JsonRequestBehavior.AllowGet);

I found the following article which describes a vulnerability when returning JSON with GET Requests.

https://haacked.com/archive/2009/06/25/json-hijacking.aspx/

I checked my code and some of the controllers were returning just a single JS array so I fixed those to return an object with the array assigned to a propery on that object. However, not all my controllers are doing this, like the one in my code snippet - that returns a JS object - but the response is still occasionally blocked.

How can I stop this error from happening?

[Edit] This is happening about 1 in every 200 requests. I'm just confused as to why it's happening when I'm already doing what the error message is explicitly telling me to do.

GooseZA
  • 901
  • 1
  • 8
  • 15
  • 1
    Possible duplicate of: https://stackoverflow.com/questions/8464677/why-is-jsonrequestbehavior-needed – Lennart May 07 '19 at 09:48
  • did you try to rebuild your project? – Hien Nguyen May 07 '19 at 09:54
  • @HienNguyen The project compiles fine. – GooseZA May 07 '19 at 11:38
  • Can you post your controller and script to call to question – Hien Nguyen May 07 '19 at 11:39
  • @Lennart - The issue is the same, yes, but the error message specifically tells me to specify AllowGet which I have done, and it still throws the error intermittently. If it blocked it every time it would be less of an issue but it's only happening every now and then. – GooseZA May 07 '19 at 11:43
  • Possible duplicate of [Why is JsonRequestBehavior needed?](https://stackoverflow.com/questions/8464677/why-is-jsonrequestbehavior-needed) – Michael Fayad Nov 01 '19 at 21:46

1 Answers1

0

Make sure you don't have another JSON return without JsonRequestBehavior.AllowGet before reaching return Json(new {Success = true, Plan = populatedPlan}, JsonRequestBehavior.AllowGet);.

Stephen Kennedy
  • 18,869
  • 22
  • 90
  • 106
Orestes G.
  • 31
  • 2