Archive for February, 2012

Backbone Patterns JSON preloading XSS vulnerability

Friday, February 10th, 2012

I was skimming through Backbone Patterns by Rico Sta. Cruz to see if I could learn something from the Backbone practices and apply it to our own in house systems that achieve pretty much the same things in a bit different manner.

The following code caught my eye as we at Meetin.gs have been bitten by the same problem in the past:

<script>
 App.photos = new Photos(<?php echo json_encode($photos); ?>);
</script>

The data in $photos is usually pretty arbitrary and it is hard to make sure that it does not contain something like this:

{ "name" : "</script><script>alert(\"xss\")</script>" }

The way we at Meetin.gs have solved this XSS vulnerability is by URI encoding the JSON on the page and then decoding it with decodeURIComponent before passing it to a JSON parser. Here is a quick (completely untested ) example with jQuery:

App.photos = new Photos( jQuery.parseJSON( decodeURIComponent(
    <?php echo rawurlencode( json_encode( $photos ) ); ?>
) ) );

It would be nice to see at least a note of this on the Backbone Patterns page as this vulnerability is not an easy one to catch and might end up in many places.

This vulnerability was at first brought to our attention by Harry Sintonen so huge thanks to him for it.