JSON XSS exploit: don't use text/html
Posted in json, catalyst, xss, security, dojo, ajax Tue, 25 Jul 2006 01:40:00 GMT
Jim Ley reports on the Google JSON XSS exploit with example code and screen shots of stealing information from the AdSense site. The moral of the story is don't use text/html for the MIME type when returning JSON, use application/json which is an IETF standard (RFC 4627) now. Most browsers should handle application/json fine, however Opera may have problems and you may want to use application/x-javascript for that. Something to remember even if your AJAX code/library doesn't care about the MIME type returned by the server, e.g. Dojo.
If you are using Catalyst and Catalyst::View::JSON, your JSON response will automatically be set to application/json for all user agents except Opera (which gets application/x-javascript) so you're already safe(r).
On a related note (see Dojo v0.4.3 release notes, etc) you might want to switch to text/json-comment-filtered. A quick fix in catalyst is to set the MIME type before your json_rpc dispatch, and then tweak the res->body after that returns… Readers should note I also ended up patching Dojo’s IO/RPC objects on the flip side to actually USE the new type, instead of just complaining about it…
It doesn’t get much simpler:
text/json: ‘{ msg: “I am an object” }’
text/json-comment-filtered: ’/[ASTERISK]{ msg: “I am an object, too” }[ASTERISK]/’
([ASTERISK] is the character)
What are the major benefits of using text/json-comment-filtered? Initially it looks like adding extra processing on both the server and client to add and remove the wrapper.
I did some reading but didn’t find much information to go on. In Dojo checkins, I found ‘implement a text/json-comment-filtered mimetype to allow servers to cooperate in avoiding “JavaScript hijacking” attacks’. In Jetty I found ‘please consider using a mimetype of text/json-comment-filtered to avoid potential security issues with JSON endpoints’
How does using text/json-comment-filtered help avoid potential security issues with JSON endpoins and allow servers to cooperate? Are there any other benefits?