Is it possible to do 'JSON hijacking' on modern browser? [duplicate]

Answer 1

Something like that could in theory be abused if you use eval to decode JSON.

Popular JS libraries which provide JSON decoding functionality will default to JSON.parse when the browser has builtin JSON support, thus any recent browser shouldn't be vulnerable unless your code is incorrectly written.

Answer 2

It's not about the legitimate application parsing the JSON - JSON hijacking is an information disclosure issue about some malicious party requesting your JSON data instead of the real application while the user is logged into the application that uses the api usually. Simple authentication does not help - as the browser sends the auth information e.g. auth-cookie for free :-/.

But with ES5 most current browser won't be affected anymore directly by this issue. Nonetheless, in depth defense rules! And may protect against future issues too or regressions and etc.