json iconcatalyst icondojo icon

JSON XSS exploit: don't use text/html

Posted in , , , , , Tue, 25 Jul 2006 01:40:00 GMT

Jim Ley reports on the Google JSON XSS exploit with example code and screen shots of stealing information from the AdSense site. The moral of the story is don't use text/html for the MIME type when returning JSON, use application/json which is an IETF standard (RFC 4627) now. Most browsers should handle application/json fine, however Opera may have problems and you may want to use application/x-javascript for that. Something to remember even if your AJAX code/library doesn't care about the MIME type returned by the server, e.g. Dojo.

If you are using Catalyst and Catalyst::View::JSON, your JSON response will automatically be set to application/json for all user agents except Opera (which gets application/x-javascript) so you're already safe(r).

del.icio.us:JSON XSS exploit: don't use text/html digg:JSON XSS exploit: don't use text/html reddit:JSON XSS exploit: don't use text/html spurl:JSON XSS exploit: don't use text/html wists:JSON XSS exploit: don't use text/html simpy:JSON XSS exploit: don't use text/html newsvine:JSON XSS exploit: don't use text/html blinklist:JSON XSS exploit: don't use text/html furl:JSON XSS exploit: don't use text/html fark:JSON XSS exploit: don't use text/html blogmarks:JSON XSS exploit: don't use text/html Y!:JSON XSS exploit: don't use text/html smarking:JSON XSS exploit: don't use text/html magnolia:JSON XSS exploit: don't use text/html segnalo:JSON XSS exploit: don't use text/html

2 comments

Comments

  1. bangFreeze said 11 months later:

    On a related note (see Dojo v0.4.3 release notes, etc) you might want to switch to text/json-comment-filtered. A quick fix in catalyst is to set the MIME type before your json_rpc dispatch, and then tweak the res->body after that returns… Readers should note I also ended up patching Dojo’s IO/RPC objects on the flip side to actually USE the new type, instead of just complaining about it…

    It doesn’t get much simpler:

    text/json: ‘{ msg: “I am an object” }’

    text/json-comment-filtered: ’/[ASTERISK]{ msg: “I am an object, too” }[ASTERISK]/’

    ([ASTERISK] is the character)

  2. John Wang said 11 months later:

    What are the major benefits of using text/json-comment-filtered? Initially it looks like adding extra processing on both the server and client to add and remove the wrapper.

    I did some reading but didn’t find much information to go on. In Dojo checkins, I found ‘implement a text/json-comment-filtered mimetype to allow servers to cooperate in avoiding “JavaScript hijacking” attacks’. In Jetty I found ‘please consider using a mimetype of text/json-comment-filtered to avoid potential security issues with JSON endpoints’

    How does using text/json-comment-filtered help avoid potential security issues with JSON endpoins and allow servers to cooperate? Are there any other benefits?

(leave url/email »)

   Comment Markup Help Preview comment