Question is when response type of request is coming as application/json and also there is not any kind of escaping/encoding implemented then is it possible to execute xss there? Changing file extension trick seems to be working till Internet Explorer 9 and all the researches on blogs are way older. Is anybody aware of trick to execute xss on latest IE versions like 10 & 11
Already read blogs like http://blog.watchfire.com/wfblog/2011/10/json-based-xss-exploitation.html. They are claiming to be worked till IE9