Feed Sign in with OpenID OpenID

Simon Willison’s Weblog

Security; AJAX; JSON; Satisfaction. The JSON attack I linked to earlier only works against raw arrays, which technically aren’t valid JSON anyway.

Posted 6th March 2007 at 8:06 am

Tagged , ,

4 comments

  1. They may not be valid JSON, but they are valid JavaScript, which someone might be sending down. And the attack also works against at least some literal objects that include literal arrays; I think the trigger is whether or not the keys are quoted (as in JSON), or not (as is possible in JavaScript). Also, given the nature of the attack, it makes me wonder what other wonders are lurking in various JavaScript implementations ...

    Patrick Mueller - 6th March 2007 15:48 - #

  2. I don't mean to be picky, but in my reading of the spec http://www.ietf.org/rfc/rfc4627.txt raw arrays are valid JSON. I updated Safe JSON http://robubu.com/?p=24 to reflect this,

    Rob

    Rob Yates - 6th March 2007 16:08 - #

  3. The JSON attack I linked to earlier only works against raw arrays, which technically aren't valid JSON anyway.

    Sure they are:

       A JSON text is a serialized object or array.

      JSON-text = object / array

    Lenny - 6th March 2007 16:27 - #

  4. I found the same line in RFC4627 that Lenny did, and came to the same conclusion. There is also an example at the end of the spec that shows using an array as the outermost structure.

    The json.org page itself doesn't actually say what can appear at the top level, but its simple traintrack presentation seems to imply that you start with an object, which is not the case.

    Ned Batchelder - 6th March 2007 23:12 - #

Comments are closed.
A django site