Prevent JSON vulnerability
ajibigad opened this issue · 1 comments
Just read this article and i have been convinced on why i need to create a general format for all response. The vulnerability according to the article is possible when we send json in the form of an array literal eg ["boys", "girls"]. The array constructor can be hacked. (Read the article for more info).
Presently response that are Lists(or Collections) are converted to an array by the JSON converter. eg the getCategories API replies with an array of category objects.
To prevent this, i am going to create a general envelope for wrapping all response from all controllers. For now its gonna be a simple envelop, all response data would be placed in the data property of the envelop. The final JSON sent would be { "data" : {}(or)[]}. This way the style of attack explained in the article would be prevented