Securing your JSON
Written by on March 14th, 2007 in Ajax News.
Bas Wenneker read Joe Walkers piece on the insecurity of JSON and put two and two together with Dean Edwards Array hack to provide an idea on securing your JSON.
JAVASCRIPT:
-
-
var applyArrayHack = function(){
-
//hackzor the Array object using Joe Walker example
-
this.Array = function() {
-
var obj = this;
-
var ind = 0;
-
var getNext = function(x) {
-
obj[ind++] setter = getNext;
-
if (x) alert(”Data stolen from array: ” + x.toString());
-
};
-
this[ind++] setter = getNext;
-
};
-
};
-
-
var applyArrayFix = function(){
-
//Create an iframe, I know this is not the best way,
-
//doesn’t work in Safari blah blah
-
var iframe = document.createElement(”iframe”);
-
iframe.style.display = “none”;
-
document.body.appendChild(iframe);
-
-
//Write a script into the iframe and steal its Array object
-
//Overwrite the hacked Array with the one from the iframe.
-
frames[frames.length - 1].document.write(
-
”<script>parent.Array = Array;</script>”
-
);
-
};
-
-
applyArrayHack(); //apply the hack
-
var hack1 = [ 40 ]; //=> alerts 40
-
-
applyArrayFix(); //apply my fix
-
var hack2 = [ 40 ]; //=> doesn’t alert! Yay!
-
The Downside
The downside of this fix is that you don’t know when to apply the fix. A hacker can use a delayed or interval function to apply the hack, so basically each time you touch an Array object you’ve to apply the fix to be sure it’s safe to send data.
Source: Ajaxian
Original Article: http://ajaxian.com/archives/securing-your-json