Hacker News new | past | comments | ask | show | jobs | submit login

The primary difference is that JSON isn't considered executable-- at least not by any Java JSON libraries that I've seen; it's just data.

(Yes, non-executable data can still deliver a malicious payload, e.g. http://technet.microsoft.com/en-us/security/bulletin/ms04-02.... It's just much less common-- presumably because it's a much smaller attack surface.)




you forget the time when json was usually called with exec...

But mostly it is buffer overflow bugs that get you now.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: