From federation to fabric: IAM’s evolution

In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that […]

The post From federation to fabric: IAM’s evolution appeared first on Security Intelligence.

Continue reading From federation to fabric: IAM’s evolution

From federation to fabric: IAM’s evolution

In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that […]

The post From federation to fabric: IAM’s evolution appeared first on Security Intelligence.

Continue reading From federation to fabric: IAM’s evolution

Is JSON vulnerability still possible?

I have a bunch of REST APIs which would be consumed by frontend applications created by customers using our product. I have suggested to only use last 2 versions of Chrome for running frontend apps. They would be using Angular.

I was going through Angular’s security guide which says,

Cross-site script inclusion, also known as JSON vulnerability, can
allow an attacker’s website to read data from a JSON API. The attack
works on older browsers by overriding built-in JavaScript object
constructors, and then including an API URL using a tag.

This attack is only successful if the returned JSON is executable as
JavaScript. Servers can prevent an attack by prefixing all JSON
responses to make them non-executable, by convention, using the
well-known string “)]}’,\n”.

I checked the related questions on SO/SE. Going by the accepted answers, it seems that this used be a vulnerability a long time ago when browsers allowed overriding Array constructor.
Is it still possible to have JSON vulnerability attack given latest version of Chrome will be used?

Related SE/SO questions:

  1. Why JSON Hijacking attack doesn’t work in modern browsers? How was it fixed?
  2. How is it possible to poison JavaScript Array constructor and how does ECMAScript 5 prevent that?
  3. How does including a magic prefix to a JSON response work to prevent XSSI attacks?
  4. https://stackoverflow.com/questions/55206306/is-facebook-suddenly-safe-against-json-hijacking/55206724#55206724
  5. https://stackoverflow.com/questions/3146798/why-do-people-put-code-like-throw-1-dont-be-evil-and-for-in-front-of#3147804

Continue reading Is JSON vulnerability still possible?

Bridging a Gap Between LLMs and Programming With TypeChat

By now, large language models (LLMs) like OpenAI’s ChatGPT are old news. While not perfect, they can assist with all kinds of tasks like creating efficient Excel spreadsheets, writing cover …read more Continue reading Bridging a Gap Between LLMs and Programming With TypeChat