This project is archived and is in readonly mode.

#1012 ✓wontfix
Russell Chappell

Feature Request: Even more secure Request.JSON

Reported by Russell Chappell | September 21st, 2010 @ 02:41 PM

Howdy,

I have been running some PEN tests and one of the queries that came up was about hijacking of JSON requests. If a hackers website included the URL for your JSON and a user logged into your website also viewed the hackers website, they could potentially hijack the JSON potentially stealing secure info. A method to stop this would be to use while(1); or for(;;); before your JSON to permanently hang their browser stopping this from happening. I created a new Class for even more secure JSON based on the recommendations of the following:
http://insecureweb.com/javascript/secure-your-ajax-request-with-jqu...

It's quite convoluted to actually hijack the JSON but the issue is still present and technically possible. Extra optional security will definitely be beneficial.

Request.sJSON = new Class({
    Extends: Request,
    options: {
        secure: true,
        supersecure: true,
        regexp: /^(while\(1\)\;|for\(\;\;\)\;|dont be evil\;)/,
        modifiers: "ims"
    },
    initialize: function(options){
        this.parent(options);
        Object.append(this.headers, {
            'Accept': 'application/json',
            'X-Request': 'JSON'
        });
    },
    success: function(text){
        var secure = this.options.secure;
        var textify = '';
        if(this.options.supersecure) {
            var regexp = new RegExp(this.options.regexp, this.options.modifiers);
            textify = text.replace(regexp, '');
        } else {
            textify = text;
        }
        var json = this.response.json = Function.attempt(function(){
            return JSON.decode(textify, secure);
        });
        if (json == null)  {
            this.onFailure();
        } else {
            this.onSuccess(json, textify);
        }
    }
});

Comments and changes to this ticket

  • Christoph Pojer

    Christoph Pojer September 21st, 2010 @ 03:57 PM

    • State changed from “new” to “wontfix”

    You could always also try to use JSON.parse in more recent browsers. In 2.0 we will likely use JSON.parse inside of JSON.decode. Feel free to upload your extension to the Forge, we will not include this into Core itself.

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

Shared Ticket Bins

People watching this ticket

Pages