DISQUS

DISQUS Hello! Kid666 Blog is using DISQUS, a powerful comment system, to manage its comments. Learn more.

Community Page

Jump to original thread »
Author

Security; AJAX; JSON; Satisfaction

Started by sh1mmer · 1 year ago

Well, for a while I've been trying to prove that either it is, or isn't, possible to XSS a JSON return which is wrapped in { }.

While it is well known that it is possible to exploit the return of a JavaScript array, I've been trying to establish if it is also possible ... Continue reading »

4 comments

  • This is surprising to me. I don't understand either why it doesn't parse, nor your explanation for why it does not parse.

    Look at this Spider Monkey session:
    js> {"foo": "bar"}
    typein:156: SyntaxError: invalid label:
    typein:156: {"foo": "bar"}
    typein:156: ......^
    js> {quz: "quux"}
    quux
    js> ({quack: "like a duck"}).quack
    like a duck
    js> ({quack: "like a duck", jump: "like a kangaroo"}).quack
    like a duck
    js> ({quack: "like a duck", jump: "like a kangaroo"}).jump
    like a kangaroo
    js> ({"boo": "like a ghost"}).boo
    like a ghost
    js> ({"boo": "like a ghost", "flash": "like a firefly"}).flash
    like a firefly
    js> {"boo": "like a ghost"}
    typein:165: SyntaxError: invalid label:
    typein:165: {"boo": "like a ghost"}
    typein:165: ......^


    -So to me it appears that there is some grammatical construct which I'm unfamiliar with interfering with the general grammar of object literals. Also, notice these work:

    js> x={"boo": "foo"}
    [object Object]
    js> var y = {"boo": "foo"}
    js> y
    [object Object]


    I guess the next step is to read the javascript grammar to understand what's happening here.
  • Valid JSON is an anonymous Javascript object. As such to be syntactically correct it requires assignment to a variable. This is why including raw JSON will create a syntax error.

    Arrays on the other hand got a bit of syntactic sugar added to make anonymous arrays valid to allow for multidimensional arrays. This means including an unassigned array object is valid Javascript (but not JSON).

    It should be noted though that 3rd party Javascript needs something like AdSafe or Caja to make it safe before you can consider using it on your page. 3rd party scripts can overload Object constructors or other functions to get access to private data.
  • Maritime Security for Piracy TBK Strategies features Security Consulting Services, Executive Threat Protection, Crisis Risk Management Consulting, Surveillance Detection Training, Tactical Training, Maritime Security for Piracy and Executive Threat Assessments.
  • Nice post there. Raised a few things I hadn't thought about before. Thx.

Add New Comment

Returning? Login