26Mar
Why does OWASP recommend to never return JSON arrays not wrapped in objects?
AJAX Security Cheat Sheet § Always return JSON with an Object on the outside says:
Always have the outside primitive be an object for JSON strings:
Exploitable:
[{"object": "inside an array"}]
Not exploitable:
{"object": "not inside an array"}
Also not exploitable:
{"result": [{"object": "inside an array"}]}
Sadly, they don't provide a rationale, at least not in the cheatsheet.
Why is that so?
As far as I'm aware, the possible attack here is Javascript array constructor poisoning, but that's been fixed for a long time already (in ES 5).
Am I missing something?