Is JSON vulnerability still possible?

I have a bunch of REST APIs which would be consumed by frontend applications created by customers using our product. I have suggested to only use last 2 versions of Chrome for running frontend apps. They would be using Angular.

I was going through Angular’s security guide which says,

Cross-site script inclusion, also known as JSON vulnerability, can
allow an attacker’s website to read data from a JSON API. The attack
works on older browsers by overriding built-in JavaScript object
constructors, and then including an API URL using a tag.

This attack is only successful if the returned JSON is executable as
JavaScript. Servers can prevent an attack by prefixing all JSON
responses to make them non-executable, by convention, using the
well-known string “)]}’,\n”.

I checked the related questions on SO/SE. Going by the accepted answers, it seems that this used be a vulnerability a long time ago when browsers allowed overriding Array constructor.
Is it still possible to have JSON vulnerability attack given latest version of Chrome will be used?

Related SE/SO questions:

  1. Why JSON Hijacking attack doesn’t work in modern browsers? How was it fixed?
  2. How is it possible to poison JavaScript Array constructor and how does ECMAScript 5 prevent that?
  3. How does including a magic prefix to a JSON response work to prevent XSSI attacks?
  4. https://stackoverflow.com/questions/55206306/is-facebook-suddenly-safe-against-json-hijacking/55206724#55206724
  5. https://stackoverflow.com/questions/3146798/why-do-people-put-code-like-throw-1-dont-be-evil-and-for-in-front-of#3147804

Continue reading Is JSON vulnerability still possible?

FortiGuard Labs Uncovers Series of Malicious NPM Packages Stealing Data

By Waqas
There are over 17 million developers worldwide who use NPM packages, making it a lucrative target for cybercriminals.
This is a post from HackRead.com Read the original post: FortiGuard Labs Uncovers Series of Malicious NPM Packages Stealing D… Continue reading FortiGuard Labs Uncovers Series of Malicious NPM Packages Stealing Data

Optimal way to securely store password on client with server invalidation but not knowledge

A number of similar questions have been asked about this general topic before (e.g. How to store user credentials in browser securely?), but I wanted to seek some clarification on a specific scenario.
I have what is essentially a stateless… Continue reading Optimal way to securely store password on client with server invalidation but not knowledge