Skills
Append runtime nonces to JSON keys and DOM element IDs — a cheap ADI defense that keeps 83% utility
The ADI paper measures randomized identifiers as the best utility-preserving mitigation: 28.7% attack success at 83.3% task utility, versus a 49.1% undefended baseline. You generate a nonce at runtime and append it to field names or element IDs so an attacker cannot pre-compute a colliding delimiter in the data they control. The caveat is that it works for key-value formats (JSON, DOM) and does not help for aggregation-style reads where the delimiter is not a named key.
↳ Follow the thread