json iconcatalyst icondojo icon

JSON XSS exploit: don't use text/html

Posted in , , , , , Tue, 25 Jul 2006 01:40:00 GMT

Jim Ley reports on the Google JSON XSS exploit with example code and screen shots of stealing information from the AdSense site. The moral of the story is don't use text/html for the MIME type when returning JSON, use application/json which is an IETF standard (RFC 4627) now. Most browsers should handle application/json fine, however Opera may have problems and you may want to use application/x-javascript for that. Something to remember even if your AJAX code/library doesn't care about the MIME type returned by the server, e.g. Dojo.

If you are using Catalyst and Catalyst::View::JSON, your JSON response will automatically be set to application/json for all user agents except Opera (which gets application/x-javascript) so you're already safe(r).
del.icio.us:JSON XSS exploit: don't use text/html digg:JSON XSS exploit: don't use text/html reddit:JSON XSS exploit: don't use text/html spurl:JSON XSS exploit: don't use text/html wists:JSON XSS exploit: don't use text/html simpy:JSON XSS exploit: don't use text/html newsvine:JSON XSS exploit: don't use text/html blinklist:JSON XSS exploit: don't use text/html furl:JSON XSS exploit: don't use text/html fark:JSON XSS exploit: don't use text/html blogmarks:JSON XSS exploit: don't use text/html Y!:JSON XSS exploit: don't use text/html smarking:JSON XSS exploit: don't use text/html magnolia:JSON XSS exploit: don't use text/html segnalo:JSON XSS exploit: don't use text/html

2 comments