什么是“顶级 JSON 数组"?为什么它们存在安全风险? [英] What are "top level JSON arrays" and why are they a security risk?

问题描述

在下面的视频中，在时间标记 21:40 时，Microsoft PDC 演示者说包装所有 JSON 很重要，这样它就不是顶级数组:

In the video below, at time marker 21:40, the Microsoft PDC presenter says it's important that all JSON be wrapped so it's not a top level array:

https://channel9.msdn.com/Events/PDC/PDC09/FT12

解包顶级数组的风险是什么?

What is the risk of an unwrapped top level array?

我应该如何检查我是否易受攻击?我从 3rd 方购买了许多组件，并有外部供应商开发我的代码.

How should I check and see if I'm vulnerable? I purchase many components from 3rd parties and have external vendors who develop my code.

推荐答案

这是因为几年前 Jeremiah Grossman 发现了一个非常影响 gmail 的有趣漏洞.有些人通过使用 unparseable cruft(bobince 先生在此页面上的技术描述非常棒.)

This is because a few years ago Jeremiah Grossman found a very interesting vulnerability that affects gmail. Some people have addressed this vulnerabilty by using an unparseable cruft (Mr bobince's technical description on this page is fantastic.)

微软谈论这个的原因是因为他们还没有修补他们的浏览器(还).(Edge 和 IE 10/11 的最新版本已经解决了这个问题.)Mozilla 认为这是 json 规范中的一个漏洞，因此他们在 Firefox 3.就记录而言，我完全同意 Mozilla，这很不幸，但每个 Web 应用程序开发人员都必须保护自己免受这个非常模糊的漏洞的影响.

The reason why Microsoft is talking about this is because they haven't patched their browser (yet). ( Recent versions of Edge and IE 10/11 have addressed this issue.) Mozilla considers this to be a vulnerability in the json specification and therefore they patched it in Firefox 3. For the record I completely agree with Mozilla, and its unfortunate but each web app developer is going to have to defend them selves against this very obscure vulnerability.

这篇关于什么是“顶级 JSON 数组"?为什么它们存在安全风险?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！