Website Security Alliance Alert webmaster: JavaScript scripting Site security to beware of JSON hijacking

Source: Internet
Author: User
Keywords Json javascript

Intermediary transaction http://www.aliyun.com/zixun/aggregation/6858.html ">seo diagnose Taobao guest cloud host technology Hall

Everyone site has JavaScript scripting code, a few years ago the use of the script is mostly to do cross-site scripting attacks, the harm is very large, of course, many sites also have such a problem. But in the Eesafe Web site Security Alliance in recent months in contact with the use of scripting attacks are focused on a new attack technology--json hijacked. Maybe everyone is unfamiliar with this, but should all know Ajax technology, JSON is using the AJAX technology flaw to attack the site. According to our statistics, the success rate of this attack is more than 70%, and for the attackers, the results have been very good.

How did the JSON attack come about?

First look at the form of using AJAX to transmit data to the foreground

  

It seems simple, and the JSON attack is to hijack the data before it is used.

An attacker who overloads in an AJAX callback function can hijack the data to make modifications before use, so if your site uses AJAX technology, you should pay special attention to it, and it is likely to be attacked.

How to prevent, add a Conten-type header tag, when this value is Application/json, the site's Ajax service will accept the request. This will play a role in defending against JSON hijacking attacks.

Eesafe website Security Alliance original article

Reprint please indicate the original address in the form of link: http://www.eesafe.com/bbs/thread-1392-1-1.html

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.