Best IT Recipes

JSON security recommendations?

While researching the JSON vs XML problem, I came across this question . Now, one of the reasons for preferring JSON was indicated as the ease of conversion to Javascript, namely with eval() . Now it immediately seemed to me potentially problematic in terms of security.

So, I started exploring the security aspects of JSON in this blog post about how JSON is not as secure as people think. . This part stuck out:

Update: If you do JSON 100% correctly, then you will only have objects at the top level. Arrays, Strings, numbers, etc. wrapped up. The JSON object will not work to eval (), because the JavaScript translator will think that it is looking at a block, not an object. This is important for protecting against these attacks, but itโ€™s still better to protect your protected data with non-predictable URLs.

Good, so a good rule to start with: top-level JSON objects should always be objects, not arrays, numbers, or strings. It seems to me a good rule.

Is there anything else or to avoid when it comes to JSON and AJAX security?

The last part of the quotation refers to unpredictable URLs. Does anyone have more information about this, especially about how you do it in PHP? I am much more experienced in Java than PHP, and in Java it is simple (in that you can map a number of URLs to a single servlet), while all of the PHP that I did matches one URL to a PHP script.

Also, how exactly do you use unpredictable URLs to increase security?

+69
json javascript security ajax
Dec 27 '08 at 23:40
source share
3 answers

The main blog security hole (CSRF) is not JSON specific. This is just a big hole using XML instead. Indeed, it is just as bad, without asynchronous calls at all; regular links are also vulnerable.

When people talk about unique URLs, they usually DO NOT mean http://yourbank.com/json-api/your-name/big-long-key-unique-to-you/statement . Instead, it is more common to do something else about a unique request; Namely, the value in the FORM message or the URL parameter.

This usually includes a random token inserted into the server-side FORM, and then checks when the request is made.

The array / object object is news to me:

Script -Tags: an attacker can insert a script tag pointing to a remote server and the browser will effectively give an eval () response for you, however, this discards the response, and since JSON is the answer, you are safe.

In this case, your site should not use JSON for the vulnerability. But yes, if an attacker can insert random HTML into your site, you will be toasts.

+18
Dec 28 '08 at 4:48
source share

There are a number of security attacks for JSON, especially XSRF.

The vulnerability is caused when a web service uses cookies for authentication and responds with a JSON array containing sensitive data in response to a GET request.

If an attacker can trick a user who is registered in the service, naive-webapp.com, to visit his site (or any site that has a managed IFRAME installed, for example, via in-line ads), then they can paste <script> from SRC to naive -webapp.com and potentially steal user data. It depends on javascript quirk with a JavaScript Array constructor as follows:

  <script> // Overload the Array constructor so we can intercept data var stolenArrays = []; var RealArray = Array; Array = function () { var arr = RealArray.apply(arguments); stolenArrays.push(arr); return arr; } </script> <!-- even though the attacker can't access the cookies, - he can cause the browser to send them to naive-webapp.com --> <script src="//naive-webapp.com/..."></script> <script> // now stolenArrays contains any data from the parsed JSON </script>

EcmaScript 5 fixed the confusing behavior that caused [] Array search for a global object, and many modern browsers are no longer prone to this attack.

By the way, Oil is wrong about unpredictable URLs. Cryptographically secure random identifiers in URLs are a great way to protect resources. Identity-based security is not a panacea, as Oil suggests. See http://waterken.sourceforge.net/ for an example of a secure distributed application scheme based on cryptographically secure identifiers in URLs that does not require the concept of identity.

EDIT:

When considering JSON vs XML, you should also be aware of attack-specific XML vectors.

XXE , XML Attacks of external objects, use processed XML to access the file system and network resources through a firewall.

 <!DOCTYPE root [ <!ENTITY foo SYSTEM "file:///c:/winnt/win.ini"> ]> ... <in>&foo;</in>

The application inserts the input (the "in" parameter containing the win.ini file) into the web service response.

+49
Jan 09 '09 at 23:56
source share

it's still the best way to protect your protected data with unpredictable URLs.

The emphasis is mine. What nonsense! It is best to protect your protected data with proper authentication and perhaps some encryption. JSON exchange may still use existing authentication methods (e.g., sessions via cookies) and SSL.

Relying on someone not realizing the URL (what they actually say) will be a reasonable method (and even then, only sometime) when you use JSON to export data to an anonymous third party (for example, a web service ) One example is the Google API of various web services, in which anonymous users access Google data through other websites. They use domain name keys and APIs to make sure the man-in-the-middle website is allowed to provide Gooogle data.

If you use JSON to send personal data to a direct and well-known user agent, use real authentication and encryption. If you are trying to provide a web service, then it really depends on how secure this data is. If this is just public data and you don't mind who can read it, I donโ€™t see the point of creating a hash URL.



Edit: To demonstrate what they mean, think about it. Imagine that your bank has provided a JSON API for receiving applications. If I could just type http://yourbank.com/json-api/your-name/statement , you probably would not be very pleased.

They can generate a unique string for your account, which was required in any JSON request, for example: http://yourbank.com/json-api/your-name/big-long-key-unique-to-you/statement

I would have been much less likely to guess it. But do you want this to be the only buffer between your truly secure data and potential thieves? No.

+3
Dec 28 '08 at 0:00
source share


More articles:


All Articles