$.postJSON - how to avoid JSON attack

I’ve recently read great article by Phil Haack, JSON Hijacking. It points to some JSON vulnerabilities, basically: how sensitive data can be captured by bad people during “GET JSON” request. During my web development I always start with adding some javascript helper methods. One of them, based on jQuery, is making HTTP POST instead of GET. This should be sufficient to avoid majority of JSON attacks. So instead of $.getJSON( … ), use:

$.postJSON = function(url, data, callback) {
  $.post(url, data, callback, "json");
};

And action method with HTTP method type filter:

[AcceptVerbs(HttpVerbs.Post)]
public ActionResult DoSth(int id)
{
//.... bla bla bla ...
}

As simple as that!

comments powered by Disqus