• caglararli@hotmail.com
  • 05386281520

Why does OWASP recommend to never return JSON arrays not wrapped in objects?

Why does OWASP recommend to never return JSON arrays not wrapped in objects?

AJAX Security Cheat Sheet § Always return JSON with an Object on the outside says:

Always have the outside primitive be an object for JSON strings:

Exploitable:

[{"object": "inside an array"}]

Not exploitable:

{"object": "not inside an array"}

Also not exploitable:

{"result": [{"object": "inside an array"}]}

Sadly, they don't provide a rationale, at least not in the cheatsheet.

Why is that so?

As far as I'm aware, the possible attack here is Javascript array constructor poisoning, but that's been fixed for a long time already (in ES 5).

Am I missing something?