JSON security best practices?

Question

While researching the issue of JSON vs XML, I came across this question. Now one of the reasons to prefer JSON was listed as the ease of conversion in Javascript, namely wi

Answer 1

There are a number of security attacks against JSON, especially XSRF.

The vulnerability occurs when a web service uses cookies for authentication, and responds with a JSON array containing sensitive data in response to a GET request.

If an attacker can trick a user who is logged into a service, naive-webapp.com, into visiting their site (or any site that embeds an IFRAME they control, e.g. via embedded ads) then they can insert a

EcmaScript 5 has fixed the confusing behavior that caused [] to look up Array on the global object and many modern browsers are no longer susceptible to this attack.

Incidentally, Oil is wrong about unpredictable URLs. Cryptographically secure random identifiers in URLs are a fine way to protect resources. Identity based security is not a panacea as Oil suggests. See http://waterken.sourceforge.net/ for an example of a secure distributed application scheme based on cryptographically secure identifiers in URLs that does not require a concept of identity.

EDIT:

When considering JSON vs XML, you should be aware of XML specific attack vectors as well.

XXE, XML External entities attacks, use crafted XML to access file system and network resources through the firewall.

]>
...
&foo;

The Application embeds the input (parameter "in", which contains the win.ini file) to the web service response.