开发者

Is this a valid JSON response?

问答 作者:

G'day gurus,

I'm calling the REST APIs of an enterprise application that shall remain nameless, and they return JSON such as the foll开发者_StackOverflowowing:

throw 'allowIllegalResourceCall is false.';
{
  "data": ... loads of valid JSON stuff here ...
}

Is this actually valid JSON? If (as I suspect) it isn't, is there any compelling reason for these kinds of shenanigans?

The response I received from the application vendor is that this is done for security purposes, but I'm struggling to understand how this improves security much, if at all.

Thanks in advance!

Peter

According to

http://jsonlint.com/

It is not.

Something like the below is.

{
    "data": "test"
}

Are they expecting you to pull the JSon load out of the message above?

Its not a JSON format at all. From your question it seems you are working with enterprise systems like JIVE :). I am also facing same issue with JIVE api. This is the problem with their V3 API. Not standard , but following thing worked for me. (I am not sure if you are talking about JIVE or not)

//invalid jason response... https://developers.jivesoftware.com/community/thread/2153  
 jiveResponse = jiveResponse.Replace
 ("throw 'allowIllegalResourceCall is false.';",String.Empty);

There is a valid reason for this: it protects against CSRF attacks. If you include a JSON url as the target of a <script> tag, then the same-origin policy doesn't apply. This means that a malicious site can include the URL of a JSON API, and any authenticated users will successfully request that data.

By appropriately overriding Object.prototype and/or Array.prototype, the malicious site can get any data parsed as an object literal or array literal (and all valid JSON is also valid javascript). The throw statement protects against this by making it impossible to parse javascript included on a page via <script> tags.

Definitely NOT valid JSON. Maybe there's an error in the implementation that is mixing some kind of debug output with the correct output?

And, by no means this is for security reasons. Seems to me this is a plain bug.

throw 'allowIllegalResourceCall is false.'; is certainly not valid JSON.

What MIME type is reported?

It seems they have added that line to prevent JSON Hijacking. Something like that line is required to prevent JSON Hijacking only if you return a JSON array. But they may have added that line above all of their JSON responses for easier implementation.

Before using it, you have to strip out the first line, and then parse the remaining as JSON.

继续阅读:jsonrestsecurity

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9