Menu
Recently I read some articles about 'JSON hijacking', and some of one is here.
So, I tried to do below on my browsers, Chrome 17(dev), Firefox 8, and IE8.
But I couldn't do anything with (literal) JSON data.
Is 'JSON hijacking' problem all solved on modern browser? Or how can I reproduce it?
202
JSON Hijacking is a kind of network security attack. In this attack, an attacker targets a system that has access to cross-domain-sensitive JSON data. This attack is similar to Cross-Site Request Forgery holding some differences.
JavaScript hijacking allows an attacker to bypass the Same Origin Policy in the case that a web application uses JavaScript to communicate confidential information. The loophole in the Same Origin Policy is that it allows JavaScript from any website to be included and executed in the context of any other website.
It's not about the legitimate application parsing the JSON - JSON hijacking is an information disclosure issue about some malicious party requesting your JSON data instead of the real application while the user is logged into the application that uses the api usually. Simple authentication does not help - as the browser sends the auth information e.g. auth-cookie for free :-/.
But with ES5 most current browser won't be affected anymore directly by this issue. Nonetheless, in depth defense rules! And may protect against future issues too or regressions and etc.
96
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
