JSON vulnerability protection



I am currently reading into some articles in how I can improve the security of my SPA / Phoenix API setup. One of the things I’ve stumbled upon is prefixing all your JSON responses with ")]}',\n" as mentioned by Angular (https://docs.angularjs.org/api/ng/service/$http#json-vulnerability-protection). And I was wondering what the best way to implement this in Phoenix / Jason. Thanks in advance for any suggestions


You’d probably do it in your JSON render call, just prefix it to the output.

However, wouldn’t that make the JSON, well, not JSON? ^.^;
I.E. you’d need to be sure to strip it out before using it anywhere.


The linked pieces of angular documentation link to this article, which has in my opinion a much better approach to fix that vulnerability. Always respond with a JSON object as the vulnerability only exist for top-level arrays, and if you want to reply with multiple items, just wrap them in an object, eg: {"data": [1, 2, 3]}.


Hard to access the angular link, couldn’t see anything useful on it… ^.^;

     * Develop                                                                                                                                                                                              
          * Developer Guide                                                                                                                                                                                 
          * API Reference                                                                                                                                                                                   
          * Error Reference                                                                                                                                                                                 
          * Contribute                                                                                                                                                                                      
          * Seed App project template                                                                                                                                                                       
          * GitHub                                                                                                                                                                                          
          * Changelog                                                                                                                                                                                       
          * Download                                                                                                                                                                                        
     * Discuss                                                                                                                                                                                              
          * Blog                                                                                                                                                                                            
          * Twitter                                                                                                                                                                                         
          * Google+                                                                                                                                                                                         
          * Feature & Bug Tracker                                                                                                                                                                           
          * Mailing List                                                                                                                                                                                    
          * IRC                                                                                                                                                                                             
          * Gitter                                                                                                                                                                                          
    {{ key }}                                                                                                                                                                                               
     * {{ item.name }}                                                                                                                                                                                      
   This site refers to AngularJS (v1.x). Go to the latest Angular.                                                                                                                                          
   This site and all of its contents are referring to AngularJS (version 1.x), if you are looking for the latest Angular, please visit angular.io.                                                          
     * / {{crumb.name}}                                                                                                                                                                                     
   Show / Hide Table of Contents                                                                                                                                                                            
     * {{ navGroup.name }}                                                                                                                                                                                  
          * {{navItem.extra.text}} {{navItem.name}}                                                                                                                                                         
   Loading …                                                                                                                                                                                                
   There was an error loading this resource. Please try again later.                                                                                                                                        
   Back to top                                                                                                                                                                                              
   Super-powered by Google ©2010-2018 (  )                                                                                                                                                                  
   Code licensed under The MIT License. Documentation licensed under CC BY 3.0. 

Even a lot of the links aren’t working…

But yeah, should always return a JSON object. :slight_smile:


Looks like you got the raw template, and it seems as if the angular documentation is implemented in angular, which makes kind of sense. I’m pretty sure you can read it after enabling JS :wink:

Anyway, as it is a very short piece of text I’ll quote it here:

JSON Vulnerability Protection

A JSON vulnerability allows third party website to turn your JSON resource URL into JSONP request under some conditions. To counter this your server can prefix all JSON requests with following string ")]}',\n" . AngularJS will automatically strip the prefix before processing it as JSON.

For example if your server needs to return:


which is vulnerable to attack, your server can return:


AngularJS will strip the prefix, before processing the JSON.


If you can tell me how to enable javascript that works with it in elinks then I would be ecstatic! Please state!
Or point me to a commandline browser (I have no GUI at the moment) that supports javascript and local filesystem access for downloads (I.E. not brow.sh). :slight_smile:

AngularJS will strip the prefix, before processing the JSON.

Ah built-in magic.


Yeah, applying the Angular solution to the problem will couple your server to the angular application.