笑故挽风 2008-12-27 23:40 采纳率: 100%
浏览 80

JSON安全最佳做法?

While researching the issue of JSON vs XML, I came across this question. Now one of the reasons to prefer JSON was listed as the ease of conversion in Javascript, namely with the eval(). Now this immediately struck me as potentially problematic from a security perspective.

So I started doing some research into the security aspects of JSON and across this blog post about how JSON is not as safe as people think it is. This part stuck out:

Update: If you are doing JSON 100% properly, then you will only have objects at the top level. Arrays, Strings, Numbers, etc will all be wrapped. A JSON object will then fail to eval() because the JavaScript interpreter will think it's looking at a block rather than an object. This goes a long way to protecting against these attacks, however it's still best to protect your secure data with un-predictable URLs.

Ok, so that's a good rule to start with: JSON objects at the top level should always be objects and never arrays, numbers or strings. Sounds like a good rule to me.

Is there anything else to do or avoid when it comes to JSON and AJAX related security?

The last part of the above quote mentions unpredictable URLs. Does anyone have more information on this, especially how you do it in PHP? I'm far more experienced in Java than PHP and in Java it's easy (in that you can map a whole range of URLs to a single servlet) whereas all the PHP I've done have mapped a single URL to the PHP script.

Also, how exactly do you use unpredictable URLs to increase security?

  • 写回答

3条回答 默认 最新

  • weixin_33735077 2008-12-28 00:00
    关注

    it's still best to protect your secure data with un-predictable URLs.

    Emphasis mine. What nonsense! It's best to protect your secure data with some proper authentication and possibly some encryption on top of that. JSON exchanges can still use existing authentication techniques (eg sessions through cookies) and SSL.

    Relying on somebody not guessing a URL (what they're effectively talking about) will only be a reasonable technique (and even then, only just) when you're using JSON to export data to an anonymous third party (eg a web service). One example is Google's various web service API where anonymous users access Google-data through other websites. They use domain-referrer and API keys to make sure the man-in-the-middle website is allowed to provide Gooogle data.

    If you're just using JSON to send private data to and from a direct, known user agent, use some real authentication and encryption. If you're trying to provide a webservice, then it really depends on how "secure" this data is going to be. If it's just public data and you don't mind who can read it, I don't see the point in making a hashy URL.

    Edit: to demonstrate what they mean, consider this. Imagine your bank provided a JSON API for getting statements. If I could just type http://yourbank.com/json-api/your-name/statement, you probably wouldn't be best pleased.

    They could generate a unique string for your account that was required in any JSON request though, eg: http://yourbank.com/json-api/your-name/big-long-key-unique-to-you/statement

    I would have far less chance of being able to guess that. But would you really want that being the only buffer between your genuinely secure data and potential identity thieves? No.

    评论

报告相同问题?

悬赏问题

  • ¥15 有赏,i卡绘世画不出
  • ¥15 如何用stata画出文献中常见的安慰剂检验图
  • ¥15 c语言链表结构体数据插入
  • ¥40 使用MATLAB解答线性代数问题
  • ¥15 COCOS的问题COCOS的问题
  • ¥15 FPGA-SRIO初始化失败
  • ¥15 MapReduce实现倒排索引失败
  • ¥15 ZABBIX6.0L连接数据库报错,如何解决?(操作系统-centos)
  • ¥15 找一位技术过硬的游戏pj程序员
  • ¥15 matlab生成电测深三层曲线模型代码