On 4/13/07, trevor <trevor at intospace.ca> wrote: > but OTOH, i think their premise was not "all json is bad". their premise > was "to raise awareness" that there are proper and improper ways to handle > this type of coding. it's a very general thing, so they also didn't > present any in depth discussion of best practices. > > so, i'm niether attacking nor glorifying their paper, i'm just asking if > some pro's here could recommend their favourite resources for ajax security > best practices, and json best practices. there are lots of results to plow > through from a general search - i thought i would get some recommends here, > that's all. I re-read the paper; I still think the answer is clear: don't use JSON. Using a data format with the capability of defining behavior never made any sense to me. From what I can tell, developers use JSON so they can avoid having to walk the DOM of an XML response. Use a format that must be parsed and you avoid this attack completely. This means XML or JSON that requires parsing (i.e., surrounded by /* and */ that must be removed, or the approach Google took by including a first line of while(1); which must be removed or it would send the JS interpreter into an infinite loop). Another option is to have the server side inspect incoming requests and only respond to those that are legitimate. While this should be done regardless, I'm not naive enough to think that developers actually do it, or even will do it given this paper. Your other option is, like the paper suggests, to not accept GET requests on the server-side. This is easy to do with, say, Java Servlets. It takes some extra work in most other languages, so [insert previous point about no one doing it]. Bottom line: just use XML, and tell your dev team to use XML. Simple, clear-cut fix. Blindly eval'ing anything that came your way in the response was always a bad idea, and now we have a paper on one reason why (admittedly, not the reason I was thinking of). -- Matt Warden Cleveland, OH, USA http://mattwarden.com This email proudly and graciously contributes to entropy.