Is JSON Hijacking still an issue in modern browsers? Is JSON Hijacking still an issue in modern browsers? javascript javascript

Is JSON Hijacking still an issue in modern browsers?


javascript json security browser tornado

No, it is no longer possible to capture values passed to the [] or {} constructors in Firefox 21, Chrome 27, or IE 10. Here's a little test page, based on the main attacks described in http://www.thespanner.co.uk/2011/05/30/json-hijacking/:

(http://jsfiddle.net/ph3Uv/2/)

var capture = function() {    var ta = document.querySelector('textarea')	ta.innerHTML = '';	ta.appendChild(document.createTextNode("Captured: "+JSON.stringify(arguments)));	return arguments;}var original = Array;var toggle = document.body.querySelector('input[type="checkbox"]');var toggleCapture = function() {    var isOn = toggle.checked;    window.Array = isOn ? capture : original;    if (isOn) {        Object.defineProperty(Object.prototype, 'foo', {set: capture});        } else {        delete Object.prototype.foo;    }};toggle.addEventListener('click', toggleCapture);toggleCapture();[].forEach.call(document.body.querySelectorAll('input[type="button"]'), function(el) {    el.addEventListener('click', function() {        document.querySelector('textarea').innerHTML = 'Safe.';        eval(this.value);    });});
<div><label><input type="checkbox" checked="checked"> Capture</label></div><div><input type="button" value="[1, 2]" /> <input type="button" value="Array(1, 2);" /> <input type="button" value="{foo: 'bar'}" /> <input type="button" value="({}).foo = 'bar';" /></div><div><textarea></textarea></div>
Expand snippet