JSON XSS exploit: don't use text/html

Posted in json, catalyst, xss, security, dojo, ajax Tue, 25 Jul 2006 01:40:00 GMT

Jim Ley reports on the Google JSON XSS exploit with example code and screen shots of stealing information from the AdSense site. The moral of the story is don't use text/html for the MIME type when returning JSON, use application/json which is an IETF standard (RFC 4627) now. Most browsers should handle application/json fine, however Opera may have problems and you may want to use application/x-javascript for that. Something to remember even if your AJAX code/library doesn't care about the MIME type returned by the server, e.g. Dojo.

If you are using Catalyst and Catalyst::View::JSON, your JSON response will automatically be set to application/json for all user agents except Opera (which gets application/x-javascript) so you're already safe(r).

del.icio.us:JSON XSS exploit: don't use text/html

digg:JSON XSS exploit: don't use text/html

reddit:JSON XSS exploit: don't use text/html

spurl:JSON XSS exploit: don't use text/html

wists:JSON XSS exploit: don't use text/html

simpy:JSON XSS exploit: don't use text/html

newsvine:JSON XSS exploit: don't use text/html

blinklist:JSON XSS exploit: don't use text/html

furl:JSON XSS exploit: don't use text/html

fark:JSON XSS exploit: don't use text/html

blogmarks:JSON XSS exploit: don't use text/html

Y!:JSON XSS exploit: don't use text/html

smarking:JSON XSS exploit: don't use text/html

magnolia:JSON XSS exploit: don't use text/html

segnalo:JSON XSS exploit: don't use text/html

2 comments

Comments

Leave a response

nuke edit
bangFreeze said 11 months later:

On a related note (see Dojo v0.4.3 release notes, etc) you might want to switch to text/json-comment-filtered. A quick fix in catalyst is to set the MIME type before your json_rpc dispatch, and then tweak the res->body after that returns… Readers should note I also ended up patching Dojo’s IO/RPC objects on the flip side to actually USE the new type, instead of just complaining about it…

It doesn’t get much simpler:

text/json: ‘{ msg: “I am an object” }’

text/json-comment-filtered: ’/[ASTERISK]{ msg: “I am an object, too” }[ASTERISK]/’

([ASTERISK] is the character)
nuke edit
John Wang said 11 months later:

What are the major benefits of using text/json-comment-filtered? Initially it looks like adding extra processing on both the server and client to add and remove the wrapper.

I did some reading but didn’t find much information to go on. In Dojo checkins, I found ‘implement a text/json-comment-filtered mimetype to allow servers to cooperate in avoiding “JavaScript hijacking” attacks’. In Jetty I found ‘please consider using a mimetype of text/json-comment-filtered to avoid potential security issues with JSON endpoints’

How does using text/json-comment-filtered help avoid potential security issues with JSON endpoins and allow servers to cooperate? Are there any other benefits?