JSON Injection


Published on

null Banglore Chapter - December 2012 Meet

Published in: Education

JSON Injection

  1. 1. OWASP Bangalore- Dec 15 2012 JSON INJECTION1 AXP Internal 31-Dec-12
  2. 2. Agenda What is JSON JSON Security Concerns How to secure your application Exploits 2 AXP Internal 31-Dec-12
  3. 3. What is JSON- JavaScript Object Notation JSON is a is a lightweight, text-based, language-independent data interchange format with parsers available for many languages JSON has been used to exchange data between applications written in all of these programming languages: ActionScript, C, C#, ColdFusion, Common Lisp, E, Erlang, Java, JavaScript, Lua, Objective CAML, Perl, PHP, Python, Rebol, Ruby, and Scheme. JSON format is often used for serializing and transmitting structured data over a network connection. It is used primarily to transmit data between a server and web application, serving as an alternative to XML.  JSON is like XML because:  They are both self-describing meaning that values are named, and thus human readable  Both are hierarchical. (i.e. You can have values within values.)  Both can be parsed and used by lots of programming languages  Both can be passed around using AJAX (i.e. httpWebRequest)  JSON is UNlike XML because:  XML uses angle brackets, with a tag name at the start and end of an element: JSON uses squiggly brackets with the name only at the beginning of the element.  JSON is less verbose so its definitely quicker for humans to write, and probably quicker for us to read.  JSON can be parsed trivially using the eval() procedure in JavaScript  JSON includes arrays {where each element doesnt have a name of its own}  In XML you can use any name you want for an element, in JSON you cant use reserved words from javascript 3 AXP Internal 31-Dec-12
  4. 4. What is JSON- continued How do I use it  Internet media type for JSON is application/json  universal data structures.Virtually all modern programming languages support them in one form or another  JSON is built on two structures:  A collection of name/value pairs. In various languages, this is realized as an object, record, struct, dictionary, hash table, keyed list, or associative array.  An ordered list of values. In most languages, this is realized as an array, vector, list, or sequence. An object is an unordered set of name/value pairs A value can be a string in double quotes, or a number, or true or false or null, or an object or an array. These structures can be nested 4 AXP Internal 31-Dec-12
  5. 5. What is JSON- continued An array is an ordered collection of values. An array begins with5 AXP Internal 31-Dec-12
  6. 6. JSON Security Concerns Because most JSON-formatted text is also syntactically legal JavaScript code, an easy way for a JavaScript program to parse JSON-formatted data is to use the built-in JavaScript eval() function, which was designed to evaluate JavaScript expressions. Rather than using a JSON-specific parser.  Eval() - execute the JSON data to produce native JavaScript objects subject to malicious JavaScript code injection attacks. Also, such breaches of trust may create vulnerabilities for data theft, authentication forgery, and other potential misuse of data and resources JSON Data Be Stolen or Compromised –JSON Array hack  A trusted website is designed to return some sensitive data as JSON -> http://www.mysite.com/secret-data.json  An attacker creates a evil site which turns the JSON into JavaScript, then sends the data to the attacker  <script src="http://www.mysite.com/secret-data.json" type="text/javascript"></script>  <script type="text/javascript">  var json_data;  Array=function() { json_data=this;}; //turns JSON into an array!  </script>  <script src="http://www.mysite.com/secret-data.json" type="text/javascript"></script>  <script type="text/javascript"> Var i=0;  While(json_data[i++])  { Alert("Found secret data! "+json_data[i]; }  </script>  User logs into trusted site mysite.com as an authenticated user  CSRF: Attacker convinces the user to visit their special site while logged in to the target site. Perhaps by sending a link via email or posting in a favorite message board.  Data is compromised. Use latest browsers as the setter and getter methods are deprecated limiting the impact 6 AXP Internal 31-Dec-12
  7. 7. How to secure your application Using JSON in your application does not make it less secure - it is how you use it which may make you vulnerable. Regular expressions can be used to validate the data prior to invoking eval(). RFC that defines JSON (RFC 4627) suggests using the following code to validate JSON before evaling it  The variable text is the input JSON  var my_JSON_object = !(/[^,:{}[]0-9.-+Eaeflnr-u nrt]/.test( text.replace(/"(.|[^"])*"/g, ))) && eval(( + text + )); eval function would execute the script, unleashing its malice- use JSON parser & JSON stringifier  A new function, JSON.parse(), was developed as a safer alternative to eval(only available in Mozilla Firefox 3.5+,Microsoft Internet Explorer 8+  A JSON stringifier goes in the opposite direction, converting JavaScript data structures into JSON text. Use GET requests to a JSON endpoint.  most simple solution is to convert all data JSON requests to POST instead of GET requests  use unique values to determine that the request for the data actually came from your own site One common mitigation is to make sure that your JSON service always returns its response as a non-array JSON object. 7 AXP Internal 31-Dec-12
  8. 8. Exploits - 2006 - It seems like this could be extremely bad as not many people know about this vulnerability. After all, if GMail was successfully exploited via this vulnerability, who else is vulnerable? Twitter – JSON Array Hack 8 AXP Internal 31-Dec-12