having fun with code

Interesting JSON vulnerability (old stuff)

Written by Eneko Alonso on May 14, 2010 Leave a Comment

Somebody at work passed this article about an interesting vulnerability in web APIs that use JSON.

The exploit combines Cross Site Request Forgery (CSRF) with a JSON Array hack allowing an evil site to grab sensitive user data from an unsuspecting user. The hack involves redefining the Array constructor, which is totally legal in Javascript.

http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx

I’ve found a while ago that you can put pretty much any URL on a script tag and the browser will download the content right away, whether it’s javascript or not, as long as the type attribute in the tag is set to ‘text/javascript’.  But although browsers download the URL content and place it inside the script tag, you can’t get to the content from Javascript (using innerHTML, for instance). Or can you? Apparently, Firebug can, at least on the HTML tab. I’m not sure if Firebug has direct access to the DOM, other than through Javascript, but I hope that is the case.

Related Posts:

Posted in uncategorized | Tagged , , , , , , , , ,

Leave a Reply

You can use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Additional comments powered by BackType

«
»

About the blog

This is a blog about development, focused mainly on Javascript but also other languages like python, shell scripts and more.

About the author

Eneko Alonso is a software engineer and UI developer with more than eight years of experience in software and web development. He lives in San Luis Obispo, California and works at LEVEL Studios.

Contact Info

Contact Info

PromoteJS

JavaScript JS Documentation