Uploaded image for project: 'National Data Service'
  1. National Data Service
  2. NDS-247

API Server should return JSON Arrays with a prefix


    • Icon: Improvement Improvement
    • Resolution: Unresolved
    • Icon: Minor Minor
    • Workbench 1.2.0
    • None
    • Development
    • None

      As described here, the JavaScript "Array" contructor can be overridden by the user.

      If malicious sites utilize our API, this allows the user to easily get their hands on array data that the server passes back to the client, such as specs, stacks, or volumes. Since "stacks" can contain password information regarding services, this seems like a security hole. (although, since the browser's Developer console can show you this, perhaps it is a moot point)

      To counter this your server can prefix all JSON requests with following string


      Angular will automatically strip the prefix before processing it as JSON.

      Real world example (gmail): http://jeremiahgrossman.blogspot.com/2006/01/advanced-web-attack-techniques-using.html

      Toy example:


      <!-- Override the default JavaScript constructor for Arrays -->
      <script type="text/javascript">
      var secrets;
      Array = function() {
        secrets = this;
      <!-- This returns an array, which is stored in the varibale named "secrets" -->
      <script src="http://haacked.com/demos/secret-info.json" type="text/javascript">
      <!-- Parse out secret data and print it to the screen -->
      <script type="text/javascript">
        var yourData = '';
        var i = -1;
        while(secrets[++i]) {
          yourData += secrets[i] + ' ';
        alert('I stole your data: ' + yourData);

              willis8 Craig Willis
              lambert8 Sara Lambert
              0 Vote for this issue
              1 Start watching this issue


                  Original Estimate - 2 hours
                  Remaining Estimate - 2 hours
                  Time Spent - Not Specified
                  Not Specified