
Anatomy of a Subtle JSON Vulnerability - ajbatac
http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx
======
waynep
JSON is not insecure, technically it's the browser here.

------
teej
Subtle? It's called Cross-Site Scripting and it's pretty well known. Hell, the
Wikipedia entry ([http://en.wikipedia.org/wiki/Cross-
site_scripting#Cookie_sec...](http://en.wikipedia.org/wiki/Cross-
site_scripting#Cookie_security)) even has some tips on how to secure against
this particular case.

~~~
chrisbroadfoot
Actually, this is CSRF (and it's pretty smart - smarter than your average XSS
attack).

~~~
blasdel
script src-ing the JSON document is pretty clever.

It could be totally stopped by using a nonce in a header. You should already
have implemented a nonce system for form submissions anyway.

