While researching the issue of JSON vs XML, I came across this question. Now one of the reasons to prefer JSON was listed as the ease of conversion in Javascript, namely with the eval(). Now this immediately struck me as potentially problematic from a security perspective.
So I started doing some research into the security aspects of JSON and across this blog post about how JSON is not as safe as people think it is. This part stuck out:
Update: If you are doing JSON 100% properly, then you will only have objects at the top level. Arrays, Strings, Numbers, etc will all be wrapped. A JSON object will then fail to eval() because the JavaScript interpreter will think it's looking at a block rather than an object. This goes a long way to protecting against these attacks, however it's still best to protect your secure data with un-predictable URLs.
Ok, so that's a good rule to start with: JSON objects at the top level should always be objects and never arrays, numbers or strings. Sounds like a good rule to me.
当涉及到与JSON和Ajax相关的安全性时,是否还有其他需要做或要避免的事情?
上面引用的最后一部分提到了不可预测的URL.有人有更多关于这方面的信息吗,尤其是你是如何用PHP实现的?我在Java方面的经验比PHP丰富得多,在Java中很容易(因为你可以将一系列URL映射到一个servlet),而我所做的所有PHP都将一个URL映射到PHP脚本.
Also, how exactly do you use unpredictable URLs to increase security?