Security; AJAX; JSON; Satisfaction
Well, for a while I've been trying to prove that either it is, or isn't, possible to XSS a JSON return which is wrapped in { }.
While it is well known that it is possible to exploit the return of a JavaScript array, I've been trying to establish if it is also possible with generic objects conforming to the JSON standard.
-
{
-
"glossary": {
-
"title": "example glossary",
-
"GlossDiv": {
-
"title": "S",
-
"GlossList": {
-
"GlossEntry": {
-
"ID": "SGML",
-
"SortAs": "SGML",
-
"GlossTerm": "Standard Generalized Markup Language",
-
"Acronym": "SGML",
-
"Abbrev": "ISO 8879:1986",
-
"GlossDef": {
-
"para": "A meta-markup language, used to create markup languages such as DocBook.",
-
"GlossSeeAlso": ["GML", "XML"]
-
},
-
"GlossSee": "markup"
-
}
-
}
-
}
-
}
-
}
This is the example JSON provided by json.org. If you encapsulate this directly in <script> tags then browsers will throw an error.
I have tried to overwrite the object constructor in all the major browsers. None of Yahoo's A-grade browsers will call the constructor for these object returns, because of the object exception.
I have come to the conclusion that browsers parse { } because as a script block not an object, but will not parse an actual object without a label. Tim and I were talking about this and agreed that the parser allows [] without a label for the construction of anonymous arrays to make multi-dimensional arrays. Good thinking Batman Tim!
What does all this mean? In effect that means that using a JSON return in as per the example wrapped in { } means it can't be used for XSS. Using a simple array return is still as vulnerable as ever.
Technorati Tags:
AJAX, JSON, Security, Javascript