Is it possible to do 'JSON hijacking' on modern browser?

2018-05-31 22:51:07

This question already has an answer here:

Is JSON Hijacking still an issue in modern browsers? 1 answer

It's not about the legitimate application parsing the json - json hijacking is an information disclosure issue about some malicious party requesting your json data instead of the real application while the user is logged into the application that uses the api usually. Simple authentication does not help - as the browser sends the auth information eg auth-cookie for free :-/.

But with ES5 most current browser won't be affected anymore directly by this issue. Nonetheless in depth defence rules! And my protect against future issues too or regressions etc.

Something like that could in theory be abused if you use eval to decode JSON.

Popular JS libraries which provide JSON decoding functionality will default to JSON.parse when the browser has builtin JSON support, thus any recent browser shouldn't be vulnerable unless your code is incorrectly written.

链接地址: http://www.djcxy.com/p/8374.html

上一篇: 为什么有一个for（;;）; 序言在Facebook的JSON响应？

下一篇: 现代浏览器可以做'JSON劫持'吗？