The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

If the JSON data returned by the target application contains a serialized array,

the malicious web site can override the default constructor for arrays in order

to gain access to the JSON data when the array is constructed. This attack can

be performed as follows in the Firefox browser:

This proof-of-concept attack performs three key actions:

■■

It implements a function called 

, which simply generates an

alert displaying any data passed to it.

■■

It overrides the 

object and defines the setter for the first three ele-

ments in the array to be the 

capture

■■

It includes the target JSON object within the page by setting the rele-

src