Modernizing Authentication — What It Takes to Transform Secure Access
Client-side libraries that Fortify inspected and found to be vulnerable are the Yahoo UI, Prototype, Script.aculo.us, Dojo, Moo.fx, jQuery, Rico and MochiKit.
According to Fortify, the other AJAX frameworks don't explicitly provide any protection, nor do their documentation materials mention the vulnerability as a security concern.
"The attacker can put code in a Web page," he said. "If he can trick you into running it in your browser, your browser can look like you and act like you, but it's not you; it's actually shoveling data back to [the attacker]."
The text-based, human-readable format for representing objects and other data structures is mostly used to transmit structured data over a network connection.
Yahoo began offering some of its Web Services optionally in JSON in December 2005, and Google started offering JSON feeds for its GData Web protocol in December 2006.
Next Page: Finding a way in.