What are "top level JSON arrays" and why are they a security risk?

Asked 17/8, 2010 at 13:48 Answered 17/8, 2010 at 17:18

In the video below, at time marker 21:40, the Microsoft PDC presenter says it's important that all JSON be wrapped so it's not a top level array:

https://channel9.msdn.com/Events/PDC/PDC09/FT12

What is the risk of an unwrapped top level array?

How should I check and see if I'm vulnerable? I purchase many components from 3rd parties and have external vendors who develop my code.

Quadripartite answered 17/8, 2010 at 13:48 Comment(1)

Unfortunately the like to the talk is broken – Lytton 1/12, 2022 at 16:42

Note: by the 2020s, this is all ancient history; there’s no longer any security risk for any JSON.

This is because a few years ago Jeremiah Grossman found a very interesting vulnerability that affects gmail. Some people have addressed this vulnerabilty by using an unparseable cruft (Mr bobince's technical description on this page is fantastic.)

The reason why Microsoft is talking about this is because they haven't patched their browser (yet). (Edit: Recent versions of Edge and IE 10/11 have addressed this issue.) Mozilla considers this to be a vulnerability in the json specification and therefore they patched it in Firefox 3. For the record I completely agree with Mozilla, and its unfortunate but each web app developer is going to have to defend them selves against this very obscure vulnerability.

Wagon answered 17/8, 2010 at 17:18 Comment(4)

Is sending sensitive information in a JSON array still a security risk in 2017? – Partridge 6/4, 2017 at 12:40

@jrahhali that question is worthy of its own post, maybe security.stackexchange.com would be a good place for it. – Wagon 6/4, 2017 at 17:59

By 2023, I’m content to say that you shouldn’t worry about this at all. The last browser to be vulnerable was released more than twelve years ago, and your site probably doesn’t even start to load in it (due to it only supporting up to TLS 1.0, and your site hopefully only being served over TLS 1.2+). – Daydream 22/5, 2023 at 9:51

@ChrisMorgan Thank you for calling this to my attention - Updated. – Wagon 6/6, 2023 at 2:30

I think it's because the Array() constructor can be redefined. However, that problem isn't really unique to arrays.

I think the attack (or one possible way) is something like this:

function Array(n) {
  var self = this;
  setTimeout(function() {
    sendToEvilHackers(self);
  }, 10);
  return this;
}

The browser (or some browsers) use that constructor for [n, n, n] array notation. A CSRF attack can therefore exploit your open session with your bank, hit a known JSON URL with a <script> tag to fetch it, and then poof you are owned.

Immortalize answered 17/8, 2010 at 13:58 Comment(4)

I don't get this - moving the array in the JSON down into a property wouldn't stop this type of attack. Returning {"d":[1,2,3]} would be just as susceptible as returning [1,2,3]. – Subclimax 17/8, 2010 at 15:42

I agree - that's what I meant when I said the problem isn't just about Arrays. – Immortalize 17/8, 2010 at 18:23

Not true. A { at the beginning of a line in JavaScript is interpreted as a code block, not an object literal. Thus, your {"d":[1,2,3]} is not a valid script and would not be executed by the browser. Just try it :) – Ambitious 2/3, 2012 at 18:16

follow up: haacked.com/archive/2009/06/25/json-hijacking.aspx To me it's a better explanation of the threat than the 2006 article from Grossman – Baum 14/12, 2016 at 11:26

Recommended topics

Hot tags