Ajax Security
mechanisms
Under some circumstances (GETrequests for JSON-serialized
data), it is possible for a malicious site to hijack personal
data. More about this can be found in this document. OAT
provides support for preventing these attacks. To make your web
application invulnerable to such attacks, use the
following:
-
Shared secret cookie verification - For every GET
request generated, OAT sets a cookie named oatSecurityCookie
to a random value. The same value is appended to a query
string. Server endpoint is encouraged to compare these two
values and verify that they don't differ. This guarantees
that the request was made from the correct page.
-
JS Traps in returned JSON - To prevent JSON code
execution, OAT filters out the following text parts from JSON
data:
- The while(1); construct, located at the beginning of JSON
text,
- Comments at the beginning and end of the text.JSON data
providers are encouraged to use one or both of these methods
to prevent data execution. Such JSON response may then look
like this:
while(1);/*{[
{"name":"safe value 1"},
{"name":"safe value 2"},
...
]}*/