All geek questions in one place

How does AngularJS JSON vulnerability protection work?

The angular website recommends prefixing your JSON with c )]}'\n to protect them from a name that is invoked as JSONP:

The JSON vulnerability allows third-party sites to turn your JSON resource URL into a JSONP request under certain conditions. To counter this, your server can prefix all JSON requests with the following line ")]} ', \ n". angular will automatically split the prefix before treating it as JSON.

But the referenced article has no mention of these closing brackets, and it seems that it would be pretty easy to work (since my JSONView chrome plugin has been fixed to cut them out. Why not do this for an “attacker”?).

Instead, the article recommends wrapping JSON as an object:

 {"d": ["Philha", "my-confession-to-crimes", 7423.42]}

Something is protecting you.

Why does AngularJS prefer this (odd) protection and does it work? I am not sure how to check this.

+6
source share
1 answer

Why does this not work for an “attacker”?

To separate characters, you must have access to the contents of raw .

The Chrome extension has access to this. Anyone who pointed to <script> in the source file does not.

Why AngularJS prefers this (odd) protection,

because it works;)

and does it work?

Yes. When the file is processed as JavaScript, it throws an error on line 1 before it reaches the array. This will stop him from trying to evaluate the array, so the rewritten Array constructor will not be able to read data from it.

Fortunately, security issues seem to exist only in very old versions of Firefox, so you probably don't need to worry about this at all.

+4
source

Source: https://habr.com/ru/post/983207/

More articles:


All Articles