Comments on: Securing your JSON http://ajaxian.com/archives/securing-your-json Cleaning up the web with Ajax Thu, 17 May 2012 07:43:39 +0000 hourly 1 http://wordpress.org/?v=3.3.2 By: SilverTab http://ajaxian.com/archives/securing-your-json/comment-page-1#comment-248189 SilverTab Thu, 15 Mar 2007 00:53:42 +0000 http://ajaxian.com/?p=2209#comment-248189 mmm as the first poster said, I think the key is to being protected against things like CSRF in the first place (with temporary tokens for example)... trying to protect the arrays will not fix the bigger issue...? mmm as the first poster said, I think the key is to being protected against things like CSRF in the first place (with temporary tokens for example)… trying to protect the arrays will not fix the bigger issue…?

]]> By: Luke Arms http://ajaxian.com/archives/securing-your-json/comment-page-1#comment-248187 Luke Arms Wed, 14 Mar 2007 23:58:33 +0000 http://ajaxian.com/?p=2209#comment-248187 As has already been noted, this fixes nothing if the cracker doesn't run it on evil.com. And adding the script to JSON replies turns JSON into JavaScript, which breaks stuff. *sigh* As has already been noted, this fixes nothing if the cracker doesn’t run it on evil.com. And adding the script to JSON replies turns JSON into JavaScript, which breaks stuff. *sigh*

]]> By: Bas http://ajaxian.com/archives/securing-your-json/comment-page-1#comment-248182 Bas Wed, 14 Mar 2007 20:34:56 +0000 http://ajaxian.com/?p=2209#comment-248182 I meant crackers :) I meant crackers :)

]]> By: Bas http://ajaxian.com/archives/securing-your-json/comment-page-1#comment-248181 Bas Wed, 14 Mar 2007 20:32:27 +0000 http://ajaxian.com/?p=2209#comment-248181 The main reason I wrote this article is because I wanted to show that a hack like the one Joe Walker showed us isn’t making JSON more insecure than it already is. I am aware of the fact that hackers can break this fix like a snap. And I totally agree with Joe: I believe that JSON is unsafe for anything but public data unless you are using unpredictable URLs. Like you said, this is an experiment... The main reason I wrote this article is because I wanted to show that a hack like the one Joe Walker showed us isn’t making JSON more insecure than it already is. I am aware of the fact that hackers can break this fix like a snap. And I totally agree with Joe: I believe that JSON is unsafe for anything but public data unless you are using unpredictable URLs. Like you said, this is an experiment…

]]> By: Andy http://ajaxian.com/archives/securing-your-json/comment-page-1#comment-248175 Andy Wed, 14 Mar 2007 18:02:11 +0000 http://ajaxian.com/?p=2209#comment-248175 Anything that uses delayed execution, a la setInterval, to protect against a security hole trades a security hole for a race condition. Anything that uses delayed execution, a la setInterval, to protect against a security hole trades a security hole for a race condition.

]]> By: Andrea Giammarchi http://ajaxian.com/archives/securing-your-json/comment-page-1#comment-248172 Andrea Giammarchi Wed, 14 Mar 2007 16:45:46 +0000 http://ajaxian.com/?p=2209#comment-248172 P.S. Bas, <em>what a post</em> was for Dion Almaer choice, not for your exepriment. You're obviously free to try to increase security with every kind of function but in this case if You say that someone should use a delayed or interval function to apply the hack I can replay that if "He" can use code he can do everything and change every function, your one too. Regards P.S. Bas, what a post was for Dion Almaer choice, not for your exepriment. You’re obviously free to try to increase security with every kind of function but in this case if You say that someone should use a delayed or interval function to apply the hack I can replay that if “He” can use code he can do everything and change every function, your one too.
Regards

]]> By: Andrea Giammarchi http://ajaxian.com/archives/securing-your-json/comment-page-1#comment-248169 Andrea Giammarchi Wed, 14 Mar 2007 16:34:26 +0000 http://ajaxian.com/?p=2209#comment-248169 <blockquote>I’m not saying this is protected json from being read by hackers</blockquote> You're not showing us anything that increase protection and please, call them cracker, not hacker. bye

I’m not saying this is protected json from being read by hackers

You’re not showing us anything that increase protection and please, call them cracker, not hacker. bye

]]> By: Bas http://ajaxian.com/archives/securing-your-json/comment-page-1#comment-248165 Bas Wed, 14 Mar 2007 15:32:08 +0000 http://ajaxian.com/?p=2209#comment-248165 And when one give the applyArrayFix some random name? … what a comment … :/ I'm not saying this is protected json from being read by hackers, but at least it tries to do something. And when one give the applyArrayFix some random name?
… what a comment … :/

I’m not saying this is protected json from being read by hackers, but at least it tries to do something.

]]> By: Andrea Giammarchi http://ajaxian.com/archives/securing-your-json/comment-page-1#comment-248163 Andrea Giammarchi Wed, 14 Mar 2007 14:31:47 +0000 http://ajaxian.com/?p=2209#comment-248163 <blockquote>hacker can use a delayed or interval function to apply the hack, so basically each time you touch an Array object you’ve to apply the fix to be sure it’s safe to send data</blockquote> setInterval(function(){applyArrayFix = applyArrayHack}, 1); ... what a post ... :/

hacker can use a delayed or interval function to apply the hack, so basically each time you touch an Array object you’ve to apply the fix to be sure it’s safe to send data

setInterval(function(){applyArrayFix = applyArrayHack}, 1);
… what a post … :/

]]> By: Nathar Leichoz http://ajaxian.com/archives/securing-your-json/comment-page-1#comment-248158 Nathar Leichoz Wed, 14 Mar 2007 13:16:15 +0000 http://ajaxian.com/?p=2209#comment-248158 Two things wrong with this fix: 1) The stealing trick, which this is supposed to protect against, which involved overriding the Array prototype, is meant to be performed on the hacker's website. The Array protection method suggested above also has to be performed on the hacker's website in order for the protection to work, and so good luck getting the hacker to insert that code in their own website. 2) To get around point 1, one could insert that code by merging it as part of the JSON. But then it becomes an arms race as the hacker could override the browser functions to prevent you from creating an iframe and hence still preserve their malicious Array prototype. Two things wrong with this fix:

1) The stealing trick, which this is supposed to protect against, which involved overriding the Array prototype, is meant to be performed on the hacker’s website. The Array protection method suggested above also has to be performed on the hacker’s website in order for the protection to work, and so good luck getting the hacker to insert that code in their own website.

2) To get around point 1, one could insert that code by merging it as part of the JSON. But then it becomes an arms race as the hacker could override the browser functions to prevent you from creating an iframe and hence still preserve their malicious Array prototype.

]]> By: uriel katz http://ajaxian.com/archives/securing-your-json/comment-page-1#comment-248153 uriel katz Wed, 14 Mar 2007 11:53:28 +0000 http://ajaxian.com/?p=2209#comment-248153 why going around the problem,the problem is that some on run malicious code on your site when he doesn`t should have,you need to protect yourself from that not from the effects of that problem. why going around the problem,the problem is that some on run malicious code on your site when he doesn`t should have,you need to protect yourself from that not from the effects of that problem.

]]>