Is JSON Hijacking still an issue in modern browsers?

by

No, it is no longer possible to capture values passed to the [] or {} constructors in Firefox 21, Chrome 27, or IE 10. Here’s a little test page, based on the main attacks described in http://www.thespanner.co.uk/2011/05/30/json-hijacking/:

(http://jsfiddle.net/ph3Uv/2/)

var capture = function() {
    var ta = document.querySelector('textarea')
	ta.innerHTML = '';
	ta.appendChild(document.createTextNode("Captured: "+JSON.stringify(arguments)));
	return arguments;
}
var original = Array;

var toggle = document.body.querySelector('input[type="checkbox"]');
var toggleCapture = function() {
    var isOn = toggle.checked;
    window.Array = isOn ? capture : original;
    if (isOn) {
        Object.defineProperty(Object.prototype, 'foo', {set: capture});    
    } else {
        delete Object.prototype.foo;
    }
};
toggle.addEventListener('click', toggleCapture);
toggleCapture();

[].forEach.call(document.body.querySelectorAll('input[type="button"]'), function(el) {
    el.addEventListener('click', function() {
        document.querySelector('textarea').innerHTML = 'Safe.';
        eval(this.value);
    });
});
<div><label><input type="checkbox" checked="checked"> Capture</label></div>
<div><input type="button" value="[1, 2]" /> <input type="button" value="Array(1, 2);" /> <input type="button" value="{foo: 'bar'}" /> <input type="button" value="({}).foo = 'bar';" /></div>
<div><textarea></textarea></div>

It overrides window.Array and adds a setter to Object.prototype.foo and tests initializing arrays and objects via the short and long forms.

The ES4 spec, in section 1.5, “requires the global, standard bindings of Object and Array to be used to construct new objects for object and array initializers” and notes in Implementation Precedent that “Internet Explorer 6, Opera 9.20, and Safari 3 do not respect either local or global rebindings of Object and Array, but use the original Object and Array constructors.” This is retained in ES5, section 11.1.4.

Allen Wirfs-Brock explained that ES5 also specifies that object initialization should not trigger setters, as it uses DefineOwnProperty. MDN: Working with Objects notes that “Starting in JavaScript 1.8.1, setters are no longer called when setting properties in object and array initializers.” This was addressed in V8 issue 1015.

More Related Contents:

  1. Javascript comparison behaving differently in different browsers [closed]
  2. Why does Google prepend while(1); to their JSON responses?
  3. Browser-native JSON support (window.JSON)
  4. Detecting if a browser is using Private Browsing mode
  5. What are “top level JSON arrays” and why are they a security risk?
  6. Why do people put code like “throw 1; ” and “for(;;);” in front of json responses? [duplicate]
  7. Is there any practical reason to use quoted strings for JSON keys?
  8. JSON security best practices?
  9. How to prevent direct access to my JSON service?
  10. Why does Google prepend while(1); to their JSON responses?
  11. Alternatives to JavaScript eval() for parsing JSON
  12. XML parser for JavaScript [closed]
  13. How to force browser to show image 3 inches wide?
  14. Post data to JsonP
  15. How to send JSON instead of a query string with $.ajax?
  16. Chrome sendrequest error: TypeError: Converting circular structure to JSON
  17. JSON.stringify doesn’t work with normal Javascript array
  18. Caching a jquery ajax response in javascript/browser
  19. How can I disable a browser or element scrollbar, but still allow scrolling with wheel or arrow keys?
  20. Convert javascript object or array to json for ajax data
  21. How to access nested JSON data
  22. Express and ejs
  23. Separate Angular2 TypeScript files and JavaScript files into different folders, maybe ‘dist‘
  24. Is it possible to programmatically catch all events on the page in the browser?
  25. Usage of Hash(#) in URL
  26. How to prevent html/JavaScript code modification
  27. Getting the text from a drop-down box
  28. How to trigger javascript on print event?
  29. Rename Object Key in an array using javascript
  30. Why does JSON.stringify not serialize non-enumerable properties?

Leave a Comment