Is the JSON CSRF/Theft attack still possible?

I read this article: http://jeremiahgrossman.blogspot.com/2007/01/gmail-xsrf-json-call-back-hackery.html

And I tried to use the technique, but it seems to fail on (at least) most browsers I tried. Basically you return JSON on your site and someone else does a <script src="domain.com/response.php?json"></script> and then you setup your own object/array constructors to steal the data.

Is this still viable with modern browsers? Should I use tokens to prevent this?

Answers


Is this still viable with modern browsers?

Yes. And browsers are not the issue.

Non-browser applications can make HTTP requests, also. Applications like curl can probably be used for this kind of thing. Or you can write something in Python using urllib2 to do CSRF's. You can easily fake out responses of all kinds if the framework doesn't properly include CSRF tokens.

Should I use tokens to prevent this?

No.

You should find a framework that provides you the support for handling this.


No, the [] constructor is no longer overrideable, and setters are no longer called for object initializers. See http://www.thespanner.co.uk/2011/05/30/json-hijacking/ and Is JSON Hijacking still an issue in modern browsers? .


Need Your Help

Looking for a more elegant way to get a 2D numpy array of azimuthal angles in cylinder coordinates

python math numpy

The title says it all. I am looking for a way to write the calculation of azimuthal angles in a 2D array more elegant. It has to do with the fact, that the arcus functions are only defined on a range

About UNIX Resources Network

Original, collect and organize Developers related documents, information and materials, contains jQuery, Html, CSS, MySQL, .NET, ASP.NET, SQL, objective-c, iPhone, Ruby on Rails, C, SQL Server, Ruby, Arrays, Regex, ASP.NET MVC, WPF, XML, Ajax, DataBase, and so on.