Website Security Alliance Alert webmaster: JavaScript scripting Site security to beware of JSON hijacking

Intermediary transaction http://www.aliyun.com/zixun/aggregation/6858.html ">seo diagnose Taobao guest cloud host technology Hall

Everyone site has JavaScript scripting code, a few years ago the use of the script is mostly to do cross-site scripting attacks, the harm is very large, of course, many sites also have such a problem. But in the Eesafe Web site Security Alliance in recent months in contact with the use of scripting attacks are focused on a new attack technology--json hijacked. Maybe everyone is unfamiliar with this, but should all know Ajax technology, JSON is using the AJAX technology flaw to attack the site. According to our statistics, the success rate of this attack is more than 70%, and for the attackers, the results have been very good.

How did the JSON attack come about?

First look at the form of using AJAX to transmit data to the foreground

It seems simple, and the JSON attack is to hijack the data before it is used.

An attacker who overloads in an AJAX callback function can hijack the data to make modifications before use, so if your site uses AJAX technology, you should pay special attention to it, and it is likely to be attacked.

How to prevent, add a Conten-type header tag, when this value is Application/json, the site's Ajax service will accept the request. This will play a role in defending against JSON hijacking attacks.

Eesafe website Security Alliance original article

Reprint please indicate the original address in the form of link: http://www.eesafe.com/bbs/thread-1392-1-1.html