什么是“顶级JSON阵列”？为什么他们有安全风险？ [英] What are "top level JSON arrays" and why are they a security risk?

问题描述

在下面的视频中，在时间标记21:40，Microsoft PDC演示者说重要的是所有JSON都被包装，因此它不是顶级数组：

In the video below, at time marker 21:40, the Microsoft PDC presenter says it's important that all JSON be wrapped so it's not a top level array:

https://channel9.msdn.com/Events/PDC/PDC09/FT12

展开顶级阵列的风险是什么？

What is the risk of an unwrapped top level array?

我应该如何检查并查看我是否'我很脆弱？我从第三方购买了许多组件，并有外部供应商开发我的代码。

How should I check and see if I'm vulnerable? I purchase many components from 3rd parties and have external vendors who develop my code.

推荐答案

这是因为几年前Jeremiah Grossman发现了一个非常影响gmail的有趣漏洞。有些人使用 notarseable cruft （bobince先生在这个页面上的技术描述太棒了。）

This is because a few years ago Jeremiah Grossman found a very interesting vulnerability that affects gmail. Some people have addressed this vulnerabilty by using an unparseable cruft (Mr bobince's technical description on this page is fantastic.)

微软之所以在谈论这个问题是因为他们还没有修补他们的浏览器（还）。 （编辑： Edge和IE 10/11的最新版本已经解决了这个问题。）Mozilla认为这是json规范中的漏洞，因此他们在 Firefox 3 。为了记录我完全同意Mozilla，不幸的是每个网络应用程序开发人员都必须为这个非常模糊的漏洞捍卫自己。

The reason why Microsoft is talking about this is because they haven't patched their browser (yet). ( Recent versions of Edge and IE 10/11 have addressed this issue.) Mozilla considers this to be a vulnerability in the json specification and therefore they patched it in Firefox 3. For the record I completely agree with Mozilla, and its unfortunate but each web app developer is going to have to defend them selves against this very obscure vulnerability.

这篇关于什么是“顶级JSON阵列”？为什么他们有安全风险？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！