Add unparsable cruft to ASP.NET MVC JsonResult

Question

In light of posts such as these:

Why do people put code like "throw 1; <dont be evil>" and "for(;;);" in front of json responses?

Why does Google prepend while(1); to their JSON responses?

I would like to follow the advice laid out in the following answer: How should web app developers defend against JSON hijacking?

Is there an easy way to add an unparsable cruft to JSON responses built using System.Web.Mvc.JsonResult? The security.se post suggests that I use </* at the beginning of the response.

score 3 · Accepted Answer · answered Nov 15 '13 at 15:08

You could write a custom action result to perform this:

public class SafeJsonResult: JsonResult
{
    public override void ExecuteResult(ControllerContext context)
    {
        context.HttpContext.Response.Write("</*");
        base.ExecuteResult(context);
    }
}

and then use it instead of the default one:

public ActionResult Index()
{
    return new SafeJsonResult
    {
        Data = new { Foo = "bar" },
        JsonRequestBehavior = JsonRequestBehavior.AllowGet,
    };
}

Add unparsable cruft to ASP.NET MVC JsonResult

1 Answers1