librelist archives

« back to archive

Security issues with top-level arrays in JSON

Security issues with top-level arrays in JSON

From:
Christopher O'Donnell
Date:
2013-06-18 @ 00:05
I'm a little confused by this part of the Flask documentation:

http://flask.pocoo.org/docs/security/#json-security

What does the success of a cross-site request (forged by way of the 
cookies for the target site being attached by the browser running the 
attacker's page) have to do with how it's sent or how the response might 
be captured? Shouldn't the target just just never accept the request (so, 
in the example from the documentation, the JSON response wouldn't be 
returned) if it didn't originate within the application (probably tested 
with a one-time-use token)?

Does it have something to do with cross-site AJAX requests typically not 
being permitted by browsers?

Still, the example seems strangely JSON-specific: surely there are and 
will be bugs in the same-origin policies of browsers occasionally, or in 
browser extension sandboxing, all giving far more direct ways to make a 
forged request and have full access to its response without having to rely
on it being parsed as JavaScript and making calls to the Array 
constructor.

So does anyone know how avoiding top-level arrays in JSON actually 
contributes providing the already-necessary check that the request 
originated within the application is used?

Thanks!