0

I've using Spring/AngularJS and to prevent JSON vulnerability, I'm trying to prefix all JSON array responses with ")]}',\n" - see reference.

I was able to prefix by 

     <mvc:annotation-driven>
     <mvc:message-converters>
     <bean id="mappingJackson2HttpMessageConverter" class="org.springframework.http.converter.json.MappingJackson2HttpMessageConverter" >
     <property name="jsonPrefix" value=")]}',\n" />
     </bean>
     </mvc:message-converters>
     </mvc:annotation-driven>

But the problem is it's prefixing all JSON responses with ")]}',\n" and I only need to prefix the JSON arrays. Is there a way I could only set the prefix for JSON array responses? Thanks.

user203617
  • 523
  • 8
  • 20
  • Why would it matter. The documentation states Angular will strip out the prefix. And no, the prefix is written for all responses. – Bart Aug 11 '14 at 17:49
  • Hit with another issue: AngularJS is not stripping out the prefix. Any thoughts? – user203617 Aug 11 '14 at 18:34
  • How are you handling the request and response in your angular app? – Bart Aug 11 '14 at 20:01
  • I posted a separate question for this: http://stackoverflow.com/questions/25250753/angularjs-http-not-stripping-off-prefix – user203617 Aug 11 '14 at 20:10
  • Possible duplicate of [Spring issues with configuration of JSON Prefix](https://stackoverflow.com/questions/32327638/spring-issues-with-configuration-of-json-prefix) – Chic Jul 21 '17 at 22:40

1 Answers1

-1

Instead of having a prefix which basically makes your response invalid JSON consider returning a object instead of an array. This will mitigate the attack vector as well.

{d: [1,2,3,4]}
Bart
  • 17,070
  • 5
  • 61
  • 80
  • This would still be vulnerable because the contents would still be parsed into an array which would be readable by the attacker. http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx/ – Chic Jul 21 '17 at 22:39
  • @Chic. Test it for yourself and override Array with `Array = function () { console.log(arguments); }` and JSON.parse the JSON in my answer – Bart Jul 24 '17 at 09:16
  • my mistake. I believe your answer should be sufficient. Blocked from un-downvote though. – Chic Jul 24 '17 at 14:31