Ivan Fioravanti - 45 - Oct 20, 2014

I’d like to implement JSON Vulnerability Protection for angularjs as described in https://docs.angularjs.org/api/ng/service/$http 

Simply adding “)]}’,\n” in front of JSON response.

What is the best solution to achieve this result? Is this really needed?

You can add a global response filter to prefix it before all JSON responses with:

this.GlobalResponseFilters.Add((req, res, dto) =>
    if (req.ResponseContentType.MatchesContentType(MimeTypes.Json) && !(dto is IHttpResult))

Ivan Fioravanti:

+1 as always Demis!
BTW Instead of Matches I’ve MatchesContentType as extension.

Ahh, yeah that’s actually what I meant to use, updated.

Jezz Santos:

Ivan, I am also intersted in this area, but didnt really understand the need for this tactic, even as recommended by angularjs.
Could you explain why you decided to apply this solution, so we can learn what you learned about it why we should apply thsi kind of solution.

Ivan Fioravanti:

Hi Jeff, it is explained very well here: http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx/

to make it short you have to be sure that response of your service is an invalid javascript statement