Download as PDF, PPTX
![JSON Security Concerns Because most JSON-formatted text is also syntactically legal JavaScript code, an easy way for a JavaScript program to parse JSON-formatted data is to use the built-in JavaScript eval() function, which was designed to evaluate JavaScript expressions. Rather than using a JSON-specific parser. Eval() - execute the JSON data to produce native JavaScript objects subject to malicious JavaScript code injection attacks. Also, such breaches of trust may create vulnerabilities for data theft, authentication forgery, and other potential misuse of data and resources JSON Data Be Stolen or Compromised –JSON Array hack A trusted website is designed to return some sensitive data as JSON -> http://www.mysite.com/secret-data.json An attacker creates a evil site which turns the JSON into JavaScript, then sends the data to the attacker <script src="http://www.mysite.com/secret-data.json" type="text/javascript"></script> <script type="text/javascript"> var json_data; Array=function() { json_data=this;}; //turns JSON into an array! </script> <script src="http://www.mysite.com/secret-data.json" type="text/javascript"></script> <script type="text/javascript"> Var i=0; While(json_data[i++]) { Alert("Found secret data! "+json_data[i]; } </script> User logs into trusted site mysite.com as an authenticated user CSRF: Attacker convinces the user to visit their special site while logged in to the target site. Perhaps by sending a link via email or posting in a favorite message board. Data is compromised. Use latest browsers as the setter and getter methods are deprecated limiting the impact 6 AXP Internal 31-Dec-12](https://image.slidesharecdn.com/jsoninjection-121230231805-phpapp01/75/JSON-Injection-6-2048.jpg)
![How to secure your application Using JSON in your application does not make it less secure - it is how you use it which may make you vulnerable. Regular expressions can be used to validate the data prior to invoking eval(). RFC that defines JSON (RFC 4627) suggests using the following code to validate JSON before eval'ing it The variable 'text' is the input JSON var my_JSON_object = !(/[^,:{}[]0-9.-+Eaeflnr-u nrt]/.test( text.replace(/"(.|[^"])*"/g, ''))) && eval('(' + text + ')'); eval function would execute the script, unleashing its malice- use JSON parser & JSON stringifier A new function, JSON.parse(), was developed as a safer alternative to eval(only available in Mozilla Firefox 3.5+,Microsoft Internet Explorer 8+ A JSON stringifier goes in the opposite direction, converting JavaScript data structures into JSON text. Use GET requests to a JSON endpoint. most simple solution is to convert all data JSON requests to POST instead of GET requests use unique values to determine that the request for the data actually came from your own site One common mitigation is to make sure that your JSON service always returns its response as a non-array JSON object. 7 AXP Internal 31-Dec-12](https://image.slidesharecdn.com/jsoninjection-121230231805-phpapp01/75/JSON-Injection-7-2048.jpg)
Uploaded byn|u - The Open Security Community
JSON Injection
The document discusses JSON injection security concerns. It describes what JSON is and how it is commonly used to transmit structured data between servers and web applications. The main security risks discussed are: (1) using eval() to parse JSON, which can enable JavaScript code injection attacks; (2) sensitive JSON data being stolen through JSON array hacks or CSRF attacks; (3) potential data theft, forgery, or misuse if JSON data is compromised. It provides recommendations for securing applications such as using a JSON parser instead of eval(), validating JSON with regular expressions, making JSON responses non-array objects, and only allowing JSON data requests via POST. Examples of past exploits exploiting JSON vulnerabilities at Gmail and Twitter are also briefly mentioned
In this document
Powered by AI
Overview of OWASP Bangalore event and the agenda covering JSON, its security concerns, application security, and related exploits.
JSON (JavaScript Object Notation) is a lightweight data interchange format used in web applications, highlighting its structure, syntax, and comparison with XML.
Exploration of JSON security vulnerabilities, emphasizing the risks of using eval() for JSON parsing and the implications of JavaScript code execution.
Best practices to enhance security while using JSON, including data validation methods, using JSON.parse instead of eval, and mitigating CSRF threats.
Mention of notable JSON vulnerabilities from 2006, emphasizing risk awareness influenced by incidents involving major platforms like GMail and Twitter.
JSON Injection
- 1. OWASP Bangalore- Dec15 2012 JSON INJECTION 1 AXP Internal 31-Dec-12
- 2. Agenda What is JSON JSON Security Concerns How to secure your application Exploits 2 AXP Internal 31-Dec-12
- 3. What is JSON-JavaScript Object Notation JSON is a is a lightweight, text-based, language-independent data interchange format with parsers available for many languages JSON has been used to exchange data between applications written in all of these programming languages: ActionScript, C, C#, ColdFusion, Common Lisp, E, Erlang, Java, JavaScript, Lua, Objective CAML, Perl, PHP, Python, Rebol, Ruby, and Scheme. JSON format is often used for serializing and transmitting structured data over a network connection. It is used primarily to transmit data between a server and web application, serving as an alternative to XML. JSON is like XML because: They are both 'self-describing' meaning that values are named, and thus 'human readable' Both are hierarchical. (i.e. You can have values within values.) Both can be parsed and used by lots of programming languages Both can be passed around using AJAX (i.e. httpWebRequest) JSON is UNlike XML because: XML uses angle brackets, with a tag name at the start and end of an element: JSON uses squiggly brackets with the name only at the beginning of the element. JSON is less verbose so it's definitely quicker for humans to write, and probably quicker for us to read. JSON can be parsed trivially using the eval() procedure in JavaScript JSON includes arrays {where each element doesn't have a name of its own} In XML you can use any name you want for an element, in JSON you can't use reserved words from javascript 3 AXP Internal 31-Dec-12
- 4. What is JSON-continued How do I use it Internet media type for JSON is application/json universal data structures.Virtually all modern programming languages support them in one form or another JSON is built on two structures: A collection of name/value pairs. In various languages, this is realized as an object, record, struct, dictionary, hash table, keyed list, or associative array. An ordered list of values. In most languages, this is realized as an array, vector, list, or sequence. An object is an unordered set of name/value pairs A value can be a string in double quotes, or a number, or true or false or null, or an object or an array. These structures can be nested 4 AXP Internal 31-Dec-12
- 5. What is JSON-continued An array is an ordered collection of values. An array begins with 5 AXP Internal 31-Dec-12
- 6. JSON Security Concerns Because most JSON-formatted text is also syntactically legal JavaScript code, an easy way for a JavaScript program to parse JSON-formatted data is to use the built-in JavaScript eval() function, which was designed to evaluate JavaScript expressions. Rather than using a JSON-specific parser. Eval() - execute the JSON data to produce native JavaScript objects subject to malicious JavaScript code injection attacks. Also, such breaches of trust may create vulnerabilities for data theft, authentication forgery, and other potential misuse of data and resources JSON Data Be Stolen or Compromised –JSON Array hack A trusted website is designed to return some sensitive data as JSON -> http://www.mysite.com/secret-data.json An attacker creates a evil site which turns the JSON into JavaScript, then sends the data to the attacker <script src="http://www.mysite.com/secret-data.json" type="text/javascript"></script> <script type="text/javascript"> var json_data; Array=function() { json_data=this;}; //turns JSON into an array! </script> <script src="http://www.mysite.com/secret-data.json" type="text/javascript"></script> <script type="text/javascript"> Var i=0; While(json_data[i++]) { Alert("Found secret data! "+json_data[i]; } </script> User logs into trusted site mysite.com as an authenticated user CSRF: Attacker convinces the user to visit their special site while logged in to the target site. Perhaps by sending a link via email or posting in a favorite message board. Data is compromised. Use latest browsers as the setter and getter methods are deprecated limiting the impact 6 AXP Internal 31-Dec-12
- 7. How to secureyour application Using JSON in your application does not make it less secure - it is how you use it which may make you vulnerable. Regular expressions can be used to validate the data prior to invoking eval(). RFC that defines JSON (RFC 4627) suggests using the following code to validate JSON before eval'ing it The variable 'text' is the input JSON var my_JSON_object = !(/[^,:{}[]0-9.-+Eaeflnr-u nrt]/.test( text.replace(/"(.|[^"])*"/g, ''))) && eval('(' + text + ')'); eval function would execute the script, unleashing its malice- use JSON parser & JSON stringifier A new function, JSON.parse(), was developed as a safer alternative to eval(only available in Mozilla Firefox 3.5+,Microsoft Internet Explorer 8+ A JSON stringifier goes in the opposite direction, converting JavaScript data structures into JSON text. Use GET requests to a JSON endpoint. most simple solution is to convert all data JSON requests to POST instead of GET requests use unique values to determine that the request for the data actually came from your own site One common mitigation is to make sure that your JSON service always returns its response as a non-array JSON object. 7 AXP Internal 31-Dec-12
- 8. Exploits - 2006 - It seems like this could be extremely bad as not many people know about this vulnerability. After all, if GMail was successfully exploited via this vulnerability, who else is vulnerable? Twitter – JSON Array Hack 8 AXP Internal 31-Dec-12