Does JSON hijacking play a role with IE versions greater than 10 or Chrome versions greater than 30?

OWASP suggests wrapping json response with an object rather than returning a direct array. For instance: 

[{"id":5}]

Is this vulnerability still relevant? Could it be exploited?
After testing in Chrome, IE, and FF, I couldn't find a way to 'hack' or exploit this.

Example code: 

<html>
    <head>
        <script type="text/javascript"> 
        Object.defineProperty(window,'id',{set: function(obj) {alert(obj);});
        </script> 
    </head>
    <body> 
        <script defer="defer" src="http://example.com/Home/AdminBalances"></script> 
    </body> 
</html>

Regardless of my attempts, I could not trigger the code inside defineProperty without directly setting an id object on the window itself.

If you know of any possible exploits, could you please share sample code?

javascriptarraysjsonsecurity

Answer №1

In order to achieve this, one must consider targeting extremely outdated browsers, such as Firefox 3.

It appears that modern browsers are not susceptible to this type of attack. For recommendations on defense mechanisms, refer to this resource. Whether these defenses are effective is a subjective matter. As it stands, they do not appear to be effective. However, in the event that a new, vulnerable browser gains popularity, implementing these defenses could potentially prevent user data theft. It's important to note that just because there was a vulnerability in the past, it doesn't guarantee its recurrence in the future. There may very well be different, undiscovered vulnerabilities in the future.

Most modern browsers receive automatic updates, allowing for prompt patching of any flaws. While defending against this particular threat requires minimal effort, it ultimately falls on the developer to assess whether the cost justifies the potential risk exposure.

Similar questions

If you have not found the answer to your question or you are interested in this topic, then look at other similar questions below or use the search

Mac JSON Shell Scripting

Below is the code I am struggling with: function poke() { json="curl -s -X GET http://pokeapi.co/api/v2/type/bug.json"; prop="half_damage_to" temp=echo $json | sed 's/\\\\\//\//g' | sed 's/[{}]//g& ...

jsonmacosshellterminal

Prevent the mouseup event in jQuery when the mouse has previously been moved

I have a div with a row of span buttons displayed horizontally. Since there are too many buttons to fit on the screen, I want to enable the user to click and drag the entire row of buttons. However, my challenge is to ensure that the button's mouseup ...

javascriptjqueryeventsmouse

Utilizing Bootstrap to allow for seamless text wrapping around a text input field

I am trying to implement a "fill-in-the-blank" feature using Bootstrap, where users need to enter a missing word to complete a sentence. Is there a way to align the text input horizontally and have the rest of the sentence wrap around it? This is my curr ...

javascripthtmlcsstwitter-bootstrapbootstrap-4

Issue with converting response to JSON format

I've encountered an issue while attempting to extract information from a React form and submit it to my Rails database. The error message "unexpected token '<' at position 0" suggests that the response is still in HTML format instead of J ...

ruby-on-railsjsonreactjs

retrieving data from a dropdown selection

Help! I'm stuck and need guidance. Below is the code I've been working on, attempting to set a variable using a drop-down list. Despite trying everything I can think of, I still seem to be missing something simple. Any hints or nudges in the righ ...

javascripthtml

Ensure that TypeScript compiled files are set to read-only mode

There is a suggestion on GitHub to implement a feature in tsc that would mark compiled files as readonly. However, it has been deemed not feasible and will not be pursued. As someone who tends to accidentally modify compiled files instead of the source fil ...

javascripttypescriptbuildfilesystems

Develop a function for locating a web element through XPath using JavaScriptExecutor

I have been working on developing a method in Java Script to find web elements using XPath as the locator strategy. I am seeking assistance in completing the code, the snippet of which is provided below: path = //input[@id='image'] def getElem ...

javascriptpythonseleniumrobotframework

The issue with setting width using % in React Native is causing trouble

While working on my project using expo react native, I encountered an issue with a horizontal scrollview for images. When I style the images using pixels like this: <Image code... style={{width: 350}}/>, everything works fine. However, if I try to ch ...

javascriptcssreactjsreact-nativemobile

Is it true that the Haskell Text.Json library is capable of reading Rationals but not writing them?

After attempting to parse a JSON file containing a floating point number, I noticed that the Text.JSON package returns the number as a JSRational. This means I can use readJSON on a JSRational. However, I encountered an issue when trying to write rationa ...

jsonhaskellfloating-pointintegerrational-numbers

Display just the minutes using react-countdown-circle-timer in a React application

Looking to create a test page in React featuring a countdown timer set at 50 minutes, I integrated the react-countdown-circle-timer module. However, I encountered an issue where the minutes displayed do not change dynamically as they should. My goal is to ...

javascriptreactjscountdowntimer

Ways to display a default view in React

I am working on a React website that has three different routes. My goal is to have the first route, named Home, automatically displayed when a user lands on the site. Below is the code snippet from my App.js: <Router> <Navigation /> <Sw ...

javascriptreactjs

Determine whether a specific key exists in the formdata object

Can I check if a key in the formdata object already has a value assigned to it? I am looking for a way to determine if a key has been previously assigned a value. I attempted something like this but did not get the desired outcome data = new FormData(); ...

javascriptajaxhtmlformsjquery-ui

What is the best way to make a CSS class appear in my javascript using the method I have been using before?

I am facing an issue in making this code work properly. It functions correctly for my caption element as there is only one caption tag in my HTML. However, the same code does not work for my TR element since it requires a for loop to iterate through multip ...

javascriptcss

Having trouble getting Calendly Webhooks to function in a node.js environment with ngrok?

Hello everyone, this is my first time seeking help on Stack Overflow so please bear with me if there are any flaws in my question. I recently started using the Calendly Teams version and decided to implement the Webhooks feature on a Node.js web applicati ...

javascriptnode.jsexpressngrokcalendly

Navigate through a nested JSON structure and update the data points

In my possession is a JSON tree structured as follows: { "projects": { "Proj1": { "milestones": { "default": "20150101", "default2": "20140406", "default3": "20140101", ...

javascriptjqueryjson

Get access to the file upload field using ajax

I'm encountering an issue with accessing the file upload field //HTML <input type='file' name='images' id="images" multiple> ////////////////// $('.bt-add-com').click(function(){ var formdata = new For ...

javascriptphpjqueryajax

Updating Select Options with Multiple Values using Javascript

My goal is to update the selected value of multiple select elements simultaneously using JavaScript. However, I am facing an issue where my script only updates one select element instead of all of them on the page. Unfortunately, I cannot modify the id att ...

javascriptjqueryhtml

Aurora MySQL causes PHP to stumble when encoding data into JSON

After transitioning my application from MySQL to Amazon Aurora's MySQL service, I encountered a challenge. The data retrieved from the database was used to search an Elasticsearch index through PHP's Elasticsearch library, which encodes query dat ...

phpmysqljsonelasticsearchamazon-aurora

Can you suggest an optimal way to structure MongoDB documents that frequently experience rapid growth in arrays?

My MongoDB document layout includes 6 top-level property fields that store array data. These arrays store IoT data collected from specific sensors throughout the day, and are updated every 2 seconds. Each new sensor packet appends data to all 6 arrays, pot ...

node.jsarraysmongodbmongodb-atlaswiredtiger

What is the best way to generate a list from a text file in javascript?

I have a document called department.txt which lists various departments: Chemistry Physics Mathematics Other I'm looking to generate a dropdown menu <select> in my HTML by importing this file. How can I achieve this using Javascript? There are ...

javascripthtml