1

OWASP recommends to wrap json response with an object and not return direct array, for example: 

[{"id":5}]

Is this really still an issue? can this be hacked?
Trying it with Chrome, IE and FF I couldn't 'hack' this or exploit this.

Sample code: 

<html>
    <head>
        <script type="text/javascript"> 
        Object.defineProperty(window,'id',{set: function(obj) {alert(obj);});
        </script> 
    </head>
    <body> 
        <script defer="defer" src="http://example.com/Home/AdminBalances"></script> 
    </body> 
</html>

No matter how I call this, I could not get the code inside defineProperty called, unless I directly set an id object on the window itself.

If this is still possible, can you please provide sample code?

Mr. Polywhirl
  • 42,981
  • 12
  • 84
  • 132
Tal
  • 1,773
  • 4
  • 18
  • 20
  • 1
    You need a vulnerable browser (such as Firefox 3.0.11.) When that *matters* is a matter of opinion. http://haacked.com/archive/2009/06/25/json-hijacking.aspx/ – Quentin Mar 23 '15 at 13:13
  • Thanks, so i see in old browsers (very old...) it maybe an issue, but is it in browsers from last 2 years? – Tal Mar 23 '15 at 13:29
  • Need any more help with this? If so I'll update my answer. – SilverlightFox May 09 '15 at 10:39
  • Thanks, only i wonder if this is any issue with browsers from last 2 years or this is solved. – Tal May 11 '15 at 13:35

1 Answers1

2

To achieve this you should be looking at very old browsers. For example, Firefox 3.

Modern browsers do not seem to be vulnerable to this attack. See here for some methods of defence - whether they are worthwhile is a matter of opinion. At the moment, no they are not worthwhile. However, if a new, vulnerable browser becomes popular then great - your defense could have saved a user and their data from being stolen - but just because there was a vulnerability in the past, doesn't mean it will be again in the future. There is just as likely to be a different, unknown vulnerability existing in future.

Most modern browsers update automatically, so if there was a flaw this would usually be patched pretty quickly. It does take little effort to defend against, so in the end it is up to the developer to decide whether the cost covers the potential risk exposure.

Community
  • 1
  • 1
SilverlightFox
  • 32,436
  • 11
  • 76
  • 145
  • Thanks for the details, this is exactly the question - does it worth the effort to defend against a non-existing vulnerability? – Tal Mar 24 '15 at 10:01
  • 2
    @Tal: Probably not if you are not expecting users to be using old browsers on your system. However, on a system that requires a high level of security (e.g. a banking website), it may be beneficial as the cost of exposure is very high and the cost of implementing this control is very low. – SilverlightFox Mar 24 '15 at 10:05