JSON hijack injection - best practices for avoidance - & which browsers are vulnerable?
Question
What are the best methods to securing a json response?
We do address verification that is a response back from a web service in json format. We would like to secure that response.
There are a few mentions, using a "while(1)" to cause an infinite loop and I'm curious to know of other tried and true methods.
Based on: http://lab.gsi.dit.upm.es/semanticwiki/index.php/JSON_Hijacking_%28aka_JavaScript_Hijacking%29
http://capec.mitre.org/data/definitions/111.html
UPDATE
Ok, a more specific question may be which browsers are vulnerable to this type of injection?
and is returning json over ssl and making sure it's correct syntax (not just an array) enough of a security safeguard?
2 answers
solution1
0 2012-04-19 18:57:44
You can take a look at the code at https://github.com/chriso/node-validator/blob/master/lib/xss.js . I've found it to be pretty thorough in the types of checks it does to prevent xss type attacks.
solution2
0 2012-04-19 19:23:37
What I would do to prevent such an attack (if I understood your question right) is the following:
Prevent the cookies to be avialable to javascript. When setting a cookie in PHP you have the option to prevent this:
setcookie ('cookie_name', 'value', 1200, '/path', 'www.example.com', true, true);
Where the last true means not accessible by javascript.
Besides protecting from your cookie being stolen you should ALWAYS use CSRF protection.
This can be done be generating a random token and only allow request done using that random token.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.