是否可以在现代浏览器上进行"JSON劫持"? [英] Is it possible to do 'JSON hijacking' on modern browser?
问题描述
Recently I read some articles about 'JSON hijacking', and some of one is here.
因此,我尝试在以下浏览器,Chrome 17(dev),Firefox 8和IE8上进行操作.
So, I tried to do below on my browsers, Chrome 17(dev), Firefox 8, and IE8.
- 覆盖对象或数组构造函数
- 修改__defineSetter__方法
- 修改defineProperty方法
但是我对(文字)JSON数据无能为力.
But I couldn't do anything with (literal) JSON data.
"JSON劫持"问题是否已在现代浏览器上全部解决? 或者我该如何复制它?
Is 'JSON hijacking' problem all solved on modern browser? Or how can I reproduce it?
推荐答案
这与解析JSON的合法应用程序无关-JSON劫持是一个信息泄露问题,涉及一些恶意方在用户使用时请求您的JSON数据而不是真实应用程序通常登录到使用api的应用程序.简单身份验证无济于事-因为浏览器会发送身份验证信息,例如免费的auth-cookie:-/.
It's not about the legitimate application parsing the JSON - JSON hijacking is an information disclosure issue about some malicious party requesting your JSON data instead of the real application while the user is logged into the application that uses the api usually. Simple authentication does not help - as the browser sends the auth information e.g. auth-cookie for free :-/.
但是使用ES5,大多数当前的浏览器将不再直接受到此问题的影响.但是,深度防御规则!并可能会防止将来出现问题或出现回归等情况.
But with ES5 most current browser won't be affected anymore directly by this issue. Nonetheless, in depth defense rules! And may protect against future issues too or regressions and etc.
这篇关于是否可以在现代浏览器上进行"JSON劫持"?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
