通过创建无法评估的(“无法解析的数据包")JSON来提高安全性? [英] Increase security by creating un-eval-uatable ("unparsable cruft") JSON?
问题描述
我们正在考虑对json使用无法解析的限制方法,以提高安全性.
we are looking at using the unparseable curft approach to our json as an extra level of security.
在研究方法时,我遇到了Google的while(1);
和Facebook的for(;;)
;然后再提到{}&&
In looking at the approaches, I've come across google's while(1);
and facebook's for(;;)
; and then another mention of {}&&
我已经看到围绕while(1);
的注释,说数字1可能会变得笨拙,所以我的方法是成为for(;;);
.
I've seen comments surrounding the while(1);
that say the 1 being numeric can get clobbered, so my approach was going to be the for(;;);
.
然后我遇到了{}&&
,它使json无效,但仍可以对其进行解析/评估.请参阅此文章以供参考: http://www.sitepen. com/blog/2008/09/25/security-in-ajax/
Then I came across the {}&&
, which renders the json as invalid yet it can still be parsed/eval'ed. See this article for reference: http://www.sitepen.com/blog/2008/09/25/security-in-ajax/
您采用什么方法?以及使用无法解析的下限进行ajax调用时,您的函数是什么样的?
What are your approaches? and what do your functions look like for making the ajax call with the unparseable curft?
推荐答案
我只是一直使用根对象.如前所述:
I just always use a root object. As noted:
只能使用数组根来劫持JSON数据. 当根是原始类型时,原始值不会触发 构造函数.当根是对象时,它是无效的JavaScript 语法,因此无法解析.
It is only possible to hijack JSON data with a root that is an array. When the root is a primitive, primitive values do not trigger a constructor. When the root is an object, it is not valid JavaScript syntax, and therefore can’t be parsed.
请注意,具有根原语(例如,您的响应只是5
)不是有效的JSON. RFC 的第二部分说:
Note that having a root primitive (e.g. your response is just 5
) is not valid JSON. Section 2 of the RFC says:
JSON文本是序列化的对象或数组.
A JSON text is a serialized object or array.
JSON-text = object / array
这不是什么负担,因为我(和许多站点)通常使用信封格式.例如:
This isn't much of a burden, as I (and many sites) typically use an envelope format. E.g.:
{
"header": {...},
"data": {...}
}
或:
{
"status": {...},
"data": {...}
}
等
在这种情况下,任何数组都只是数据的值,因此您可以提供语法上有效的JSON,而没有任何劫持风险.
In that case, any array would just be the value of data, so you can serve syntactically valid JSON without any hijacking risk.
这篇关于通过创建无法评估的(“无法解析的数据包")JSON来提高安全性?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!