JSON Fuzzing: New           approach to old problems- Tamaghna Basu            - K.V.Prashanttamaghna.basu@gmail.com    go...
Who are we?        We are still discovering ourselves        • Kaun hu main…        • kahan hu main….        • Main yahan ...
What are you going to           tolerate in next 30 mins or so…      • Lazy bums we are.      • Wanted an easy tool to    ...
Disclaimer      We are not responsible for any mental, financial and       physical health issues arising after viewing th...
Why are we here?                              Because of him…                              • American computer            ...
JSON:- What is that ?      JSON (an acronym for JavaScript Object Notation) is a         lightweight text-based open stand...
JSON:- What is that ?      In simple language       Its a method to exchange data in a simple structured         format b...
JSON: Client Side processing             var abc ={"loginId":"+ document.test.name.value +","pwd":"+                docume...
JSON: Message Format      Request sent to server :      {        “LoginId”:”name”        “pwd":"secret”      }      Respon...
JSON: Server Side processing      Using org.json libraries we can parse JSON object in below way:      public class HelloW...
JSON: Server Side processing      Using org.json libraries we can create JSON object in below method:      public class He...
JSON Fuzzing: Whats missing       Almost everything        Current tools support only name/value pair        format of ...
JSON Fuzzing: Whats missing    login=test&passwd=test    123&seclogin=on&Form    Name=existinghttp://null.co.in/          ...
JSON Fuzzing: Whats missinghttp://null.co.in/                         http://nullcon.net/
JSON Fuzzing: Whats missinghttp://null.co.in/                         http://nullcon.net/
JSON Fuzzing: Whats missinghttp://null.co.in/                       http://nullcon.net/
JSON Fuzzing: What we did       Took a popular Firefox addon       Added conversion module to convert JSON to        nam...
JSON Fuzzing: Demo                            Demohttp://null.co.in/                        http://nullcon.net/
JSON Fuzzing: Road Ahead      Support for various JSON format :       Simple object - {"loginId":"test@ttt.com","pwd":"12...
JSON Fuzzing: Road Ahead       Present code changes to Tamper data        submitted to original writer       Adding JSON...
JSON Fuzzing: References       JSON reference site www.json.org       JSON Ajax tutorials        http://www.ibm.com/deve...
JSON Fuzzing: Road Ahead                      If you are still there/awake then                                Dhanyawad  ...
Upcoming SlideShare
Loading in...5
×

JSON Fuzzing: New approach to old problems

2,122

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,122
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
9
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

JSON Fuzzing: New approach to old problems

  1. 1. JSON Fuzzing: New approach to old problems- Tamaghna Basu - K.V.Prashanttamaghna.basu@gmail.com good.best.guy@gmail.comhttp://null.co.in/ http://nullcon.net/
  2. 2. Who are we? We are still discovering ourselves • Kaun hu main… • kahan hu main…. • Main yahan kaise aya… • Purpose of my life… Till then, K.V.Prashant :- CEH, CISSP Security consultant/researcher. An avid null community member. Tamaghna Basu :- GCIH, CEH, ECSA, RHCE, Diploma in Cyber Law. Once coder, now researcher. A net addict citizen of India.http://null.co.in/ http://nullcon.net/
  3. 3. What are you going to tolerate in next 30 mins or so… • Lazy bums we are. • Wanted an easy tool to test apps with JSON support. Unable to find one. • Laziness inside us prompted us to use an existing to and add JSON functionality instead building it from scratch.http://null.co.in/ http://nullcon.net/
  4. 4. Disclaimer We are not responsible for any mental, financial and physical health issues arising after viewing this presentation. We are not responsible for any damage to conference venue arising due our conference speech So be seated at your own risk http://null.co.in/ http://nullcon.net/
  5. 5. Why are we here? Because of him… • American computer programmer and entrepreneur • More popular for his involvement and creation of JSON format (Ref: Wikipedia) Doglas Croockfordhttp://null.co.in/ http://nullcon.net/
  6. 6. JSON:- What is that ? JSON (an acronym for JavaScript Object Notation) is a lightweight text-based open standard designed for human- readable data interchange. It is derived from the JavaScript programming language for representing simple data structures and associative arrays, called objects. Despite its relationship to JavaScript, it is language-independent, with parsers available for most programming languages. The JSON format was originally specified by Douglas Crockford, and is described in RFC 4627. The official Internet media type for JSON is application/json. The JSON filename extension is .json Blah… Blah… Blah… SEE Wikipedia…http://null.co.in/ http://nullcon.net/
  7. 7. JSON:- What is that ? In simple language  Its a method to exchange data in a simple structured format between web-client and server.  Mostly used with AJAX request/response scenarios.  Lightweight, lesser tags and easy to parse- less computational intensive than XML  Extensively used in applications developed by companies like Google, Yahoo, Amazon etc.http://null.co.in/ http://nullcon.net/
  8. 8. JSON: Client Side processing var abc ={"loginId":"+ document.test.name.value +","pwd":"+ document.test.password.value +"}; var req = null; if (window.XMLHttpRequest) { req = new XMLHttpRequest(); } else if (window.ActiveXObject) { try { req = new ActiveXObject("Msxml2.XMLHTTP"); } catch (e) { try { req = new ActiveXObject("Microsoft.XMLHTTP"); } catch (e) {} } } req.onreadystatechange = function() { if(req.readyState == 4) { if(req.status == 200) { var employee=eval(+req.responseText+); document.write(employee.name); document.write(employee.age); }else { document.getElementById("realtooltip2").innerHTML="Error: returned status code " + req.status + " " + req.statusText; } } }; req.open("POST", "http://in-prashantkv.in.kworld.kpmg.com:8080/servlets/Search", true); req.send(abc);http://null.co.in/ http://nullcon.net/
  9. 9. JSON: Message Format Request sent to server : { “LoginId”:”name” “pwd":"secret” } Response received from server after authentication and processing: { “name”:”Prashant” “age":"secret” }http://null.co.in/ http://nullcon.net/
  10. 10. JSON: Server Side processing Using org.json libraries we can parse JSON object in below way: public class HelloWorld extends HttpServlet{ public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException{ { StringBuffer jb = new StringBuffer(); String line = null; BufferedReader reader = request.getReader(); while ((line = reader.readLine()) != null) jb.append(line); JSONObject jsonObject = new JSONObject(jb.toString()); String pwd = jsonObject.getString("pwd"); String uname = jsonObject.getString("loginId"); …..http://null.co.in/ http://nullcon.net/
  11. 11. JSON: Server Side processing Using org.json libraries we can create JSON object in below method: public class HelloJSON { public static void main(String args[]){ JSONObject jobject=new JSONObject(); jobject.put("name","prashant"); jobject.put("Age",new Integer(25)); ......... } }http://null.co.in/ http://nullcon.net/
  12. 12. JSON Fuzzing: Whats missing  Almost everything   Current tools support only name/value pair format of data e.g. login=test&passwd=test123&seclogin=on  But not JSON format like: {"loginId":"test@ttt.com","pwd":"12345"}  Tiresome to edit each field each field in http proxies like paroshttp://null.co.in/ http://nullcon.net/
  13. 13. JSON Fuzzing: Whats missing login=test&passwd=test 123&seclogin=on&Form Name=existinghttp://null.co.in/ http://nullcon.net/
  14. 14. JSON Fuzzing: Whats missinghttp://null.co.in/ http://nullcon.net/
  15. 15. JSON Fuzzing: Whats missinghttp://null.co.in/ http://nullcon.net/
  16. 16. JSON Fuzzing: Whats missinghttp://null.co.in/ http://nullcon.net/
  17. 17. JSON Fuzzing: What we did  Took a popular Firefox addon  Added conversion module to convert JSON to name/value pair  Added fuzzing capabilities on converted name value/pair  Convert back fuzzed values to JSON object and complete the request (current contribution still under review)http://null.co.in/ http://nullcon.net/
  18. 18. JSON Fuzzing: Demo Demohttp://null.co.in/ http://nullcon.net/
  19. 19. JSON Fuzzing: Road Ahead Support for various JSON format :  Simple object - {"loginId":"test@ttt.com","pwd":"12345"}  Nested object – { "name": "Jack ("Bee") Nimble", "format": { "type": "rect", "width": 1920} }  Array – ["Sunday", "Monday", "Tuesday", "Wednesday", "Thursday", "Friday", "Saturday"]http://null.co.in/ http://nullcon.net/
  20. 20. JSON Fuzzing: Road Ahead  Present code changes to Tamper data submitted to original writer  Adding JSON fuzzing capabilities to other tools like Webscarab  Release a JSON application with common vulnerabilitieshttp://null.co.in/ http://nullcon.net/
  21. 21. JSON Fuzzing: References  JSON reference site www.json.org  JSON Ajax tutorials http://www.ibm.com/developerworks/web/li brary/wa-ajaxintro11.html  Tamper data page https://addons.mozilla.org/en- us/firefox/addon/tamper-data/http://null.co.in/ http://nullcon.net/
  22. 22. JSON Fuzzing: Road Ahead If you are still there/awake then Dhanyawad Special Thanks to null community Tamaghna Basu - tamaghna.basu@gmail.com K.V.Prashant - tamahawk- -good.best.guy@gmail.com techguru.blogspot.com - twitter.comtitanlambdahttp://null.co.in/ http://nullcon.net/

×