What are the JSON security concerns in web development?
6th January 2011
My answer to What are the JSON security concerns in web development? on Quora
Be very careful when implementing JSON-P for authenticated actions—evil third party sites could assemble URLs to your user’s private data and steal it. This attack has worked against Gmail in the past.
A few years ago there was a security issue where Mozilla browsers could be tricked in to leaking JSON arrays even if they weren’t wrapped in JSON-P—this has since been fixed, but it’s still a good idea to wrap your private JSON response in a JS comment and have your Ajax calling code remove those comments before eval()ing the JSON. This prevents external sites from taking advantage of newly discovered JSON execution vulnerabilities like the old Mozilla one.
If you are consuming JSON-P from another site, be VERY sure you can trust that site in the future, since you’re opening yourself up to a nasty XSS attack if they go rogue. Ideally you should be monitoring them to check if they suddenly turn evil one day (or their domain name gets hijacked).
Basically, make sure you have a deep understanding of the same-origin policy, JSON-P and XSS and you should be fine.
More recent articles
- Weeknotes: Llama 3, AI for Data Journalism, llm-evals and datasette-secrets - 23rd April 2024
- Options for accessing Llama 3 from the terminal using LLM - 22nd April 2024
- AI for Data Journalism: demonstrating what we can do with this stuff right now - 17th April 2024
- Three major LLM releases in 24 hours (plus weeknotes) - 10th April 2024
- Building files-to-prompt entirely using Claude 3 Opus - 8th April 2024
- Running OCR against PDFs and images directly in your browser - 30th March 2024
- llm cmd undo last git commit - a new plugin for LLM - 26th March 2024
- Building and testing C extensions for SQLite with ChatGPT Code Interpreter - 23rd March 2024
- Claude and ChatGPT for ad-hoc sidequests - 22nd March 2024
- Weeknotes: the aftermath of NICAR - 16th March 2024