2

I am writing an app right now that uses jQuery and JSONP to get JSON from 3rd party servers. The main idea behind my app is that it is a Front End with only GUI logic and 3rd party servers can be written by anyone to use the Front End.
I have no idea what security issues could arise from this but I definitely see it as a potential issue. What are some steps I can take to make sure that a 3rd party server doesn't completely crash my site that will be running the GUI?

James P. Wright
  • 8,991
  • 23
  • 79
  • 142

3 Answers3

2

JSONP means that you execute third-party javascript which should return a Javascript object. The script you load with JSONP can do anything a local script could, thus it is an XSS attack vector in two ways: either if the third party you request the JSONP data from is evil, or if the data is changed with a man-in-the-middle attack.

The second type of attack can be avoided by only doing JSONP over secure connections (or can be disregarded if your own page is sent over an insecure connection, in which case there are easier ways to do a man-in-the-middle attack); the first type is inherent to JSONP and cannot be avoided. You should only use JSONP when you trust the source. Otherwise, you can either set up an AJAX gateway on your own server and request JSON data through that (this will only work if the JSONP service does not require authentication), or use cross-domain AJAX requests (which do not work in older browsers, and require certain permissions from the JSONP server).

Tgr
  • 27,442
  • 12
  • 81
  • 118
1

If the third-parties aren't trustworthy, you have a large problem here. Instead of sending JSONP code, they could send any JavaScript they want, potentially damaging your site or stealing users' information.

JSONP works by just including the remote data on your page with <script> tags. It is designed to avoid the browser's security restrictions, and so should only be used with trustworthy sources.

A client-side only solution to this problem does not exist.

EDIT: Oh, I misread your question. I thought the client was going to be receiving the JSON.

JSONP is just a JSON object wrapped in a javascript function call. Normally if you were operating from a server you would just request the unwrapped JSON object itself, but even with the JSONP object it's difficult to hurt yourself unless you are running eval() on it.

Are you using an existing JSON library? If so, you should be fine.

Are you parsing it yourself? If so, avoid eval and you should be fine.

Jeremy
  • 1
  • 85
  • 340
  • 366
0

Well, JSON describes an object, not an executable function. What JSONP is doing is rendering that result of a GET request as a function on your client and executing it. This would suggest that the biggest security concern you would consider is what your code is doing with the data.

Matthew Abbott
  • 60,571
  • 9
  • 104
  • 129
  • Well, my code is taking the data (provided in a specific format hopefully) and displaying it to the user. When the user interacts I am sending data back to the 3rd party server. My biggest concern is that someone could cause some Javascript to execute that would give them access to functions to do with Users of my site or just execute some Javascript that might cause my site to be overloaded in some way (though I understand this isn't as big of a worry seeing as JS is client side) – James P. Wright Jun 11 '11 at 20:11