I have a bunch of REST APIs which would be consumed by frontend applications created by customers using our product. I have suggested to only use last 2 versions of Chrome for running frontend apps. They would be using Angular.
I was going through Angular’s security guide which says,
Cross-site script inclusion, also known as JSON vulnerability, can
allow an attacker’s website to read data from a JSON API. The attack
works on older browsers by overriding built-in JavaScript object
constructors, and then including an API URL using a tag.
This attack is only successful if the returned JSON is executable as
JavaScript. Servers can prevent an attack by prefixing all JSON
responses to make them non-executable, by convention, using the
well-known string “)]}’,\n”.
I checked the related questions on SO/SE. Going by the accepted answers, it seems that this used be a vulnerability a long time ago when browsers allowed overriding Array constructor.
Is it still possible to have JSON vulnerability attack given latest version of Chrome will be used?
Related SE/SO questions:
- Why JSON Hijacking attack doesn’t work in modern browsers? How was it fixed?
- How is it possible to poison JavaScript Array constructor and how does ECMAScript 5 prevent that?
- How does including a magic prefix to a JSON response work to prevent XSSI attacks?
- https://stackoverflow.com/questions/55206306/is-facebook-suddenly-safe-against-json-hijacking/55206724#55206724
- https://stackoverflow.com/questions/3146798/why-do-people-put-code-like-throw-1-dont-be-evil-and-for-in-front-of#3147804
Continue reading Is JSON vulnerability still possible?→