Some prevention mechanisms can be taken to mitigate the JSON hijacking or JavaScript hijacking attacks.
- In JavaScript, use .innerText instead of .innerHTML. This will automatically encode the text. Use .innerHTML only when you are displaying HTML.
- Do not use the eval function. It is very much vulnerable.
- Do not rely on client logic to ensure security.
- Avoid writing serialization code.
- Avoid building XML dynamically. Use an encoding library to make attributes and element data safe.
- Use SSL/TLS and use encryption on the server, not on the client-side code.
- Always return JSON with an object on the outside.
For example : {“result”: [{“object”: “inside an array”}]} - Use a framework to build XML. Do not build XML by hand.
For more information on prevention mechanisms:
The above article gives a brief overview of JSON hijacking or JavaScript hijacking. Interested readers who want to know more about different web application vulnerabilities may want to refer to the book “Web Application Vulnerabilities And Prevention.”
0 Comments