Cross Site Script Inclusion. The article touches on a lot of things (including C... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		personalcompute on June 18, 2011 \| parent \| context \| favorite \| on: JSON users: Avoid CSRFs by not using top-level arr... Cross Site Script Inclusion. The article touches on a lot of things (including CSRF), but the HN title refers specifically to JSON (As well as the link's '#' fragment identifier), and therefore the last section, where it shows an attack site including unprotected JSON through the <script> tag, and unless I'm seriously mistaken, this is the definition of XSSI.

pmh on June 21, 2011 [–]

Yes, this is XSSI and the exploit comes in because a JSON array is essentially treated as "executable" code in some JS implementations.

Here are a couple of resources that go a litle more into XSSI:

Google tech talk: http://www.youtube.com/watch?v=jC6Q1uCnbMo&feature=playe...

Gruyere codelab: http://google-gruyere.appspot.com/part3#3__cross_site_script...

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact