JSON响应可被重写数组构造函数或恶意值未被JavaScript字符串转义利用.
Let's assume both of those vectors are addressed in the normal way. Google famously traps JSON response direct sourcing by prefixing all JSON with something like:
throw 1; < don't be evil' >
接下来是联合生网的睡觉.所以邪恶博士不能,使用我们讨论过的here种利用方式.通过在他的网站上放置以下内容来获取您的cookie(假设您已经登录):
<script src="http://yourbank.com/accountStatus.json">
As for string escaping rules, well if we're using double quotes, we need to prefix each with a backslash and each backslash with another backslash etc.
但我的问题是,如果这一切都是你做的呢?
Burp Suite (the automated security tool) detects embedded XSS attempts that are returned unHTML-escaped in a JSON response and it reports it as an XSS vulnerability. I have a report that my application contains vulnerabilities of this kind but I am not convinced. I've tried it and I can't make an exploit work.
所以我认为这是不对的.
有一个特定的 case ,IE MIME类型嗅探,我认为可能会导致一次攻击.毕竟,IE7仍然具有这样一个"特性",即嵌入在图像注释中的脚本标记被执行,而与内容类型标题无关.让我们先把这种明显愚蠢的行为放在一边.
当然,JSON将由原生JavaScript解析器(Firefox中的Window.JSON)或按照旧的默认jQuery行为由eval()解析.在这两种情况下,以下表达式都不会导致执行alert :
{"myJSON": "legit", "someParam": "12345<script>alert(1)</script>"}
我是对的还是错的?