NYCPHP Meetup

[csnyder]

I've recommended (and continue to recommend) JSON as an efficient
alternative to XML for passing server-side date to client-side web
apps. But, as explained in the report linked below, an attacker can
use an everyday <script> tag to make a cross-domain request for
confidential JSON data, and access that data on execution by
overriding native methods on Object or Array.

http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf

The simple fix is to ensure that your JSON responses will not execute
when called via <script> tag, either by wrapping the JSON in a block
comment or by placing a while(1); command before the data. Your
Javascript code is responsible for removing the comment or while(1);
before eval()ing the JSON.

Again, if your web app returns JSON, make sure it cannot be executed
by placing a while(1); before the data.

It sounds like the major frameworks are being updated to deal with
this (I know Dojo and MochiKit have). If you use a framework to handle
your JSON, you should consult recent traffic on their developer's list
for the preferred means of neutering the code.

-- 
Chris Snyder
http://chxo.com/