*AFAIK, the ability to override the Array constructor has been fixed in all mode...

jcampbell1 · on March 27, 2013

Really? You can make it so `var x = ['a']` does something other than create an array?

bmj · on March 27, 2013

No, but if I do `var a = new Array();` I can have that put up an alert. The Resig post linked to above indicates that FF will complain if you try to redefine the Array function, which is not what I'm seeing FF 20 (beta channel) and Chrome 25.

MrUnderhill · on March 27, 2013

That's not JSON though, it's executable Javascript. This whole issue is (was) about Arrays accidentally becoming executable Javascript. To elaborate:

Let's say I have a data API http://bank/sensitiveData which returns JSON:

  ["bmjs", "sensitive", "data"]

.. if your browser has a valid session. Now, if an attacker lures you onto his http://malicioussite, he may try to do:

  ajax.get("http://bank/sensitiveData).then(sendReceivedDataToMaliciousDatabase)

This will throw an exception, because the browser doesn't allow the cross domain requests to http://bank .

However, he _can_ insert a <script> tag that loads it (this is how JSONP works):

  <script src="http://bank/sensitiveData"></script>

This will load your sensitive data (assuming you have a session open). If, before this, the attacker has overridden the Array constructor in his site's Javascript, whatever code he has in that constructor will receive your sensitive data (and may send it to his malicious database).

Now, if my bank data API actually served your sensitive data as executable Javascript, that is:

  var bmjsSensitiveData = new Array("bmjs", "sensitive", "data");

Then you need to cancel your account and find a new bank immediately :) This would be loadable with the <script> tag on a malicious site as shown earlier, and subsequently make the variable bmjsSensitiveData available to the attacker's Javascript (overriding the Array constructor wouldn't even be necessary).

bmj · on March 27, 2013

Gotcha, thanks for the clarification.