[
https://issues.apache.org/jira/browse/SLING-2206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13098804#comment-13098804
]
Antonio Sanso commented on SLING-2206:
--------------------------------------
Hi Justin,
while this specific attack in [0] (as above) with the JSON array is not anymore
valid (since as mentioned from you has been fixed by modern browsers) if the
JSON response data is enclosed in an array (and Sling does in some cases if I
am not wrong (?? :S ) e.g. query.json) is usually vulnerable to these types of
attacks (see [1] for a more "modern attack" based on
Object.prototype.__defineSetter__).
[0]
http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx
[1] http://www.thespanner.co.uk/2011/05/30/json-hijacking/
> Preventing the Execution of Unauthorized Script in JSON
> -------------------------------------------------------
>
> Key: SLING-2206
> URL: https://issues.apache.org/jira/browse/SLING-2206
> Project: Sling
> Issue Type: New Feature
> Components: Servlets
> Reporter: Antonio Sanso
> Priority: Minor
>
> For an explanation of the security problem please check [0].
> To see how for example Gmail solves the problem refer to [1]
> I think that would be good to have this feature to be configurable (on by
> default). I would personally opt for adding the while(1); solution (that is
> the same Google use).
> .
> [0]
> http://labs.adobe.com/technologies/spry/samples/data_region/JSONParserSample.html
> [1] http://msujaws.wordpress.com/2011/02/28/xss-prevention-in-gmail/
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
