I've recommended (and continue to recommend) JSON as an efficient alternative to XML for passing server-side date to client-side web apps. But, as explained in the report linked below, an attacker can use an everyday <script> tag to make a cross-domain request for confidential JSON data, and access that data on execution by overriding native methods on Object or Array.
http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf The simple fix is to ensure that your JSON responses will not execute when called via <script> tag, either by wrapping the JSON in a block comment or by placing a while(1); command before the data. Your Javascript code is responsible for removing the comment or while(1); before eval()ing the JSON. Again, if your web app returns JSON, make sure it cannot be executed by placing a while(1); before the data. It sounds like the major frameworks are being updated to deal with this (I know Dojo and MochiKit have). If you use a framework to handle your JSON, you should consult recent traffic on their developer's list for the preferred means of neutering the code. -- Chris Snyder http://chxo.com/ _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
