Geeks With Blogs
Chris Breisch   .NET Data Practices
Search this Blog!

Scott Guthrie has a great post on how to limit your exposure to JSON hijacking in ASP.NET AJAX 1.0.

What's JSON hijacking?

[T]hese attacks use HTTP GET requests invoked via an HTML <script src=""> include element to circumvent the "same origin policy" enforced by browsers (which limits JavaScript objects like XmlHttpRequest to only calling URLs on the same domain that the page was loaded from), and then look for ways to exploit the JSON payload content.

The good news?  ASP.NET AJAX do not enable HTTP GET requests by default.  So that will help.

Also, ASP.NET AJAX enforces content-type header validation.  This protects you because a malicious code insertion would find it very difficult to set the Content-Type appropriately, and then ASP.NET will barf on it.

He explains it much better than I.  Read the whole thing.

Posted on Tuesday, May 22, 2007 9:52 AM ASP.NET | Back to top

Comments on this post: JSON Hijacking and How You Can Avoid It

No comments posted yet.
Your comment:
 (will show your gravatar)

Copyright © Chris J. Breisch | Powered by: