Last active
December 10, 2015 19:48
-
-
Save tedpennings/4483687 to your computer and use it in GitHub Desktop.
Two security primary concerns for JSON
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"user": | |
{ | |
"name": "Johnny Walker", | |
"occupation": "Distiller", | |
"location": (function() { alert("XSS 1!"); return "somewhere"})(), | |
"_location_comment": "Once parsed unsafely, the location XSS will run automatically, as a self-executing function. JSON.parse can help with this, and jQuery's $.parseJSON uses it by default (as do $.ajax, etc)", | |
"bio": "<script type='text/javascript'>alert('XSS 2!');</script>", | |
"_bio_comment": "This XSS will execute once it is added to the DOM, if not properly escaped before adding it. This is more of a persistent kind of XSS attack, typically from poor input validation on server side." | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment