Why does OWASP recommend to never return JSON arrays not wrapped in objects?
AJAX Security Cheat Sheet § Always return JSON with an Object on the outside says:
Always have the outside primitive be an object for JSON strings:
Exploitable:
[{"object": "inside an array"}]
Not exploitable:
{"o… Continue reading Why does OWASP recommend to never return JSON arrays not wrapped in objects?