Evil idea: Fingerprint the internal tech stack of a web app by taking advantage of the fact that all JSON parsers have different behavior. Sending carefully-crafted JSON payloads that will throw an error for one “valid, but odd” syntax but not another, like {"a": 0.}.
Evil idea: Fingerprint the internal tech stack of a web app by taking advantage of the fact that all JSON parsers have different behavior. Sending carefully-crafted JSON payloads that will throw an error for one “valid, but odd” syntax but not another, like
{"a": 0.}.This is why Postel’s law is
a bad ideasomething you have to be very careful about.My version of Postel’s Law, with the benefit of hindsight: “If you accept crap, then crap is what you will get.”
I’m a bit sad that this was not updated to reflect the changes after I fixed the bug the author reported against SBJson in 2016.