This request has been blocked because sensitive information could be disclosed...ASP.NET JSON Return error?


Hi, I am trying to load data in Asp.NET MVC using JsonResult as return type to load rows in jQuery datatable server-side processing, but I am getting this error

This request has been blocked because sensitive information could be disclosed to third party web sites when this is used in a GET request. To allow GET requests, set JsonRequestBehavior to AllowGet.]

So why I am getting this issue and how can I resolve it?

Here is my partial C# code

public JsonResult ShowCompaniesDataTable()
        {
            using (var context = new ModelEntities())
            {

           //some code here
                    return Json(new { sEcho = sEcho, iTotalRecords = list.Count, iTotalDisplayRecords = list.Count, aaData = list2 });
                
            }
        }

Asked by:- manish
0
: 77 At:- 10/9/2017 1:54:22 PM
asp.net-mvc JSON JsonResult http-get






2 Answers
profileImage Answered by:- vikas_jk

Your question has its own answer, take a look at the line "To allow GET requests, set JsonRequestBehavior to AllowGet."

So you need to have code, which allows Get Request

public JsonResult ShowCompaniesDataTable()
        {
            using (var context = new ModelEntities())
            {

           //some code here
                    return Json(new { sEcho = sEcho, iTotalRecords = list.Count, iTotalDisplayRecords = list.Count, aaData = list2 },JsonRequestBehavior.AllowGet);
                
            }
        }

Now why ASP.NET shows this error as your above method must be POST, by default, the ASP.NET MVC framework does not allow you to respond to an HTTP GET request with a JSON payload. If you need to send JSON in response to a GET, you'll need to explicitly allow the behavior by

If you need to send JSON in response to a GET, you'll need to explicitly allow the behavior by using JsonRequestBehavior.AllowGet as the second parameter to the JSON method. However, there is a chance a malicious user can gain access to the JSON payload through a process known as JSON Hijacking. You do not want to return sensitive information using JSON in a GET request.

You can read about JSON hijacking here

2
At:- 10/10/2017 8:21:26 AM
Thank you, got it 0
By : manish - at :- 10/17/2017 3:10:46 PM


profileImage Answered by:- jaiprakash

In MVC they block Json for GET requests (as you can tell from the error) for security reasons. If you want to override that behavior, check out the overload for Json that accepts a JsonRequestBehavior parameter.

public JsonResult ShowCompaniesDataTable()
        {
            using (var context = new ModelEntities())
            {

           //some code here
                    return Json(new { sEcho = sEcho, iTotalRecords = list.Count, iTotalDisplayRecords = list.Count, aaData = list2 },JsonRequestBehavior.AllowGet);
                
            }
        }

Long story short, if your JSON payload:

  • Contains sensitive non-public data
  • Returns an Array
  • Responds to a GET request

Then the data is vulnerable to a JSON hijacking. Typically, it's not *your* data but the data of the users of your website.

1
At:- 10/11/2017 3:42:12 PM





Login/Register to answer
Or
Register directly by posting answer/details

Full Name *

Email *




By posting your answer you agree on privacy policy & terms of use

Subscribe Now

Subscribe to our weekly Newsletter & Keep getting latest article/questions in your inbox weekly