• Topic
  • Discussion
  • OATWikiWeb.OATDOCsecurity(Last) -- Owiki? , 2016-08-19 14:58:52 Edit owiki 2016-08-19 14:58:52

    Ajax Security mechanisms

    Under some circumstances (GET requests for JSON-serialized data), it is possible for a malicious site to hijack personal data. More about this can be found in this document. OAT provides support for preventing these attacks. To make your web application invulnerable to such attacks, use the following:

    • Shared secret cookie verification - For every GET request generated, OAT sets a cookie named oatSecurityCookie to a random value. The same value is appended to a query string. Server endpoint is encouraged to compare these two values and verify that they don't differ. This guarantees that the request was made from the correct page.
    • JS Traps in returned JSON - To prevent JSON code execution, OAT filters out the following text parts from JSON data:
    • The while(1); construct, located at the beginning of JSON text,
    • Comments at the beginning and end of the text. JSON data providers are encouraged to use one or both of these methods to prevent data execution. Such JSON response may then look like this:
    while(1);/*{[
            {"name":"safe value 1"},
            {"name":"safe value 2"},
            ...
    ]}*/
    

    Referenced by...