Recently I read some articles about 'JSON hijacking', and some of one is here.
So, I tried to do below on my browsers, Chrome 17(dev), Firefox 8, and IE8.
But I couldn't do anything with (literal) JSON data.
Is 'JSON hijacking' problem all solved on modern browser? Or how can I reproduce it?
It's not about the legitimate application parsing the JSON - JSON hijacking is an information disclosure issue about some malicious party requesting your JSON data instead of the real application while the user is logged into the application that uses the api usually. Simple authentication does not help - as the browser sends the auth information e.g. auth-cookie for free :-/.
But with ES5 most current browser won't be affected anymore directly by this issue. Nonetheless, in depth defense rules! And may protect against future issues too or regressions and etc.
Something like that could in theory be abused if you use eval to decode JSON.
Popular JS libraries which provide JSON decoding functionality will default to JSON.parse when the browser has builtin JSON support, thus any recent browser shouldn't be vulnerable unless your code is incorrectly written.
