Frederik De Keukelaere <[EMAIL PROTECTED]> writes:
> Would you mind sharing the different data formats you came across for
> exchanging data in mashups/Web 2.0? Considering the challenges you
> recently discovered, it might be good to have such an overview to look at
> it from a security point of view.

Oops, sorry for taking so long to respond.  In addition to JSON, I've seen
two other uses of JavaScript as a data transport format.

1) JavaScript arrays
Example: [ "a", "b", "c" ]

Technically speaking, this is a subset of JSON, but in these systems there
is no notion of an object, only an array.  These systems are more vulnerable
than systems using JSON because they're guaranteed to always use array

2) Function calls
Example:  addRecord("a", "b", "c");

This format is even easier to hijack, just define the named function.  This
is the worst of the bunch from a confidentiality standpoint.


Secure Coding mailing list (SC-L)
List information, subscriptions, etc -
List charter available at -
SC-L is hosted and moderated by KRvW Associates, LLC (
as a free, non-commercial service to the software security community.

Reply via email to