Skip to Main Content
Securing Ajax Applications
book

Securing Ajax Applications

by Christopher Wells
July 2007
Intermediate to advanced content levelIntermediate to advanced
256 pages
6h 19m
English
O'Reilly Media, Inc.
Content preview from Securing Ajax Applications

JSON

JavaScript Object Notation (JSON) is a lightweight data format based on the object notation of the JavaScript language. Unlike XML, JSON is already JavaScript so it does not have to endure heavy processing. Because of its ease of use and flexibility to exchange data, it has gained popularity. If you are thinking of using JSON, I would recommend you check out the web site (http://json.org).

Example 5-7 shows a simple JSON structure.

Example 5-7. An example of JSON notation

{
    "type": "Menu",
    "value": "File",
    "items": [
        {"value": "New", "action": "CreateNewDocument"},
        {"value": "Open", "action": "OpenDocument"},
        {"value": "Save", "action": "SaveDocument"}
    ]
}

JSON was designed to be highly portable. It's what makes it useful. JSON output text can be directly interpreted by JavaScript, using eval( ):

var myVar = eval( '(' + jsontext + ')' );

Validation and implementation

Passing JSON text straight into the eval( ) function is a bit like setting a bull loose in a china shop, since eval( ) will blindly interpret everything in the JSON text with no security or validation checking, but boy is it fast. So, what's wrong with automatically hydrating this stuff? The most obvious attack is XSS. Consider what would happen if the code in Example 5-7 were run through eval( ).

Example 5-8 shows XSS in JSON.

Example 5-8. Unvalidated JSON

{ "name": "menu", "value": "File", "items": [ {"value": "New", "action": "CreateNewDocument"}, {"value": "Open", "action": "OpenDocument"}, {"value": "Save", "action": ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Start your free trial

You might also like

Ajax Security

Ajax Security

Billy Hoffman, Bryan Sullivan
Firefox Hacks

Firefox Hacks

Nigel McFarlane

Publisher Resources

ISBN: 9780596529314Errata Page