XSS - Looking for an explanation to a comment on JSON.decode for mootools Request

StackOverflow https://stackoverflow.com/questions/21902571

  •  14-10-2022
  •  | 
  •  

Question

So I was looking through the Mootools docs for Request and noticed a somewhat recent comment posted that reads the following...

"Be aware of XSS vulnerability: Default value for secure is falsy, which means that JSON.decode("alert(document.cookie)") shows a popup !"

The documentation for the JSON.decode method says this:

JSON Method:Decode

Converts a JSON string into a JavaScript object.

Syntax:

var object = JSON.decode(string[, secure]);

Arguments:

string - (string) The string to evaluate.

secure - (boolean, optional: defaults to false) If set to true, checks for any hazardous syntax and returns null if any found.

Returns: (object) The object represented by the JSON string.

So, based on the documentation, it's pretty obvious to me that the JSON.decode method is set to be "insecure" by default. My question though is what (if anything) that has to do with XSS, and whether that comment from the top of my post is valuable. Assuming you're using Mootools in the frontend, and you trust the address you're making your AJAX call to, how could this be a XSS security exploit?

http://mootools.net/docs/core/Utilities/JSON

Was it helpful?

Solution 2

After reading pages of documentation and learning everything I can about XSS, it seems to me that the only way to introduce a XSS vulnerability solely with front-end javascript is to use that code to perform "server-like" decisions. What I'm referring to is what is called DOM-Based XSS, whereby your front-end js code takes parameters from either the URL query string, or some other unattached resource and attempts to do something with that input without properly sanitizing and/or escaping it beforehand.

This really has nothing to do with eval() though, and has everything to do with how you design your "site experience" with regard to responses/requests. The way you avoid XSS is by making sure that your code never loads/sends anything it can't trust. eval() is just a function.

OTHER TIPS

The problem here is eval().

Since "back in the days", before JSON.parse() came to life Mootools used eval to return the parsed JSON. So the problem here is the same as discussed here about eval().

If you write code just for modern browsers, go for vanilla JSON.parse(). If you need crossbrowser down to IE6, then Mootools does the job for you ™ Mootools gives powerfull tools for developers, turn on the secure option/parameter if you don't want to use eval.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top