Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Haacked has a step-by-step description of how this attack works: http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-js...

The Microsoft asp.net web stack avoids this by automatically wrapping json responses with an object "{d:...}".

The comments describe this as only affecting FF2.0 although testing was informal. (You should, of course, still protect your services.)



That wouldn't work, you can override the Object constructor in JavaScript as well. You have to prepend something like `while(1);` to the JSON responses you're returning.


I can see why you would think that but it does work because a script that just contains a JSON object is not a valid JavaScript file. The browser will give an error. Whereas a script that just contains a JSON array is valid.


I think it's just the ASP.Net AJAX Toolkit not plain ASP.Net or ASP.Net MVC.


Thanks, I should have clarified. Here is the breakdown according to Phil's post linked below:

ASP.NET ASMX Web Services, WCF Web Services, and the now-defunct ASP.NET AJAX automatically wrap with {'d':...}.

ASP.NET MVC does not.

Phil explains that the reason there is a difference is that with MVC there is no common client library that automatically strips the {'d':...} wrapper. So they felt it would be too confusing for users. http://haacked.com/archive/2009/06/25/json-hijacking.aspx

That was an old article so maybe they have changed the default behavior since then. In any case, you can manually wrap the response with {'d':...}.


ASP.Net also requires POST for web service calls, so this sort of include doesn't work.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: