SlideShare a Scribd company logo
4
Most read
5
Most read
OWASP Bangalore- Dec 15 2012

                         JSON INJECTION



1                   AXP Internal   31-Dec-12
Agenda
       What is JSON
       JSON Security Concerns
       How to secure your application
       Exploits




    2                                    AXP Internal   31-Dec-12
What is JSON- JavaScript Object Notation
       JSON is a is a lightweight, text-based, language-independent data
        interchange format with parsers available for many languages


       JSON has been used to exchange data between applications written in all
        of these programming languages: ActionScript, C, C#, ColdFusion,
        Common Lisp, E, Erlang, Java, JavaScript, Lua, Objective CAML, Perl, PHP,
        Python, Rebol, Ruby, and Scheme.


       JSON format is often used for serializing and transmitting structured
        data over a network connection. It is used primarily to transmit data
        between a server and web application, serving as an alternative to XML.
           JSON is like XML because:
               They are both 'self-describing' meaning that values are named, and thus 'human readable'
               Both are hierarchical. (i.e. You can have values within values.)
               Both can be parsed and used by lots of programming languages
               Both can be passed around using AJAX (i.e. httpWebRequest)

           JSON is UNlike XML because:
               XML uses angle brackets, with a tag name at the start and end of an element: JSON uses squiggly brackets with the
                name only at the beginning of the element.
               JSON is less verbose so it's definitely quicker for humans to write, and probably quicker for us to read.
               JSON can be parsed trivially using the eval() procedure in JavaScript
               JSON includes arrays {where each element doesn't have a name of its own}
               In XML you can use any name you want for an element, in JSON you can't use reserved words from javascript




    3                                                                                                             AXP Internal      31-Dec-12
What is JSON- continued
   How do I use it
       Internet media type for JSON is application/json
       universal data structures.Virtually all modern programming languages support them in one form or another
       JSON is built on two structures:
               A collection of name/value pairs. In various languages, this is realized as an object, record, struct, dictionary, hash table, keyed list, or
                associative array.
               An ordered list of values. In most languages, this is realized as an array, vector, list, or sequence.
                                                                     An object is an unordered set of name/value pairs




    A value can be a string in double quotes, or a number,
    or true or false or null, or an object or an array.
    These structures can be nested



        4                                                                                       AXP Internal         31-Dec-12
What is JSON- continued




        An array is an ordered collection of values. An
        array begins with




5                                        AXP Internal   31-Dec-12
JSON Security Concerns
       Because most JSON-formatted text is also syntactically legal JavaScript code, an easy way for a JavaScript
        program to parse JSON-formatted data is to use the built-in JavaScript eval() function, which was designed
        to evaluate JavaScript expressions. Rather than using a JSON-specific parser.
           Eval() - execute the JSON data to produce native JavaScript objects subject to malicious JavaScript code injection
            attacks. Also, such breaches of trust may create vulnerabilities for data theft, authentication forgery, and other potential
            misuse of data and resources
       JSON Data Be Stolen or Compromised –JSON Array hack
           A trusted website is designed to return some sensitive data as JSON -> http://www.mysite.com/secret-data.json
           An attacker creates a evil site which turns the JSON into JavaScript, then sends the data to the attacker
               <script src="http://www.mysite.com/secret-data.json" type="text/javascript"></script>



               <script type="text/javascript">
               var json_data;
                Array=function() { json_data=this;}; //turns JSON into an array!
               </script>
               <script src="http://www.mysite.com/secret-data.json" type="text/javascript"></script>
               <script type="text/javascript"> Var i=0;
               While(json_data[i++])
               { Alert("Found secret data! "+json_data[i]; }
                </script>
           User logs into trusted site mysite.com as an authenticated user
           CSRF: Attacker convinces the user to visit their special site while logged in to the target site. Perhaps by sending a link via
            email or posting in a favorite message board.
           Data is compromised.
       Use latest browsers as the setter and getter methods are deprecated limiting the impact


    6                                                                                               AXP Internal   31-Dec-12
How to secure your application
    Using JSON in your application does not make it less secure - it is how you use it which may
                                        make you vulnerable.
       Regular expressions can be used to validate the data prior to invoking eval(). RFC that defines JSON (RFC
        4627) suggests using the following code to validate JSON before eval'ing it
           The variable 'text' is the input JSON
           var my_JSON_object = !(/[^,:{}[]0-9.-+Eaeflnr-u nrt]/.test( text.replace(/"(.|[^"])*"/g, ''))) && eval('(' + text + ')');

       eval function would execute the script, unleashing its malice- use JSON parser & JSON stringifier
           A new function, JSON.parse(), was developed as a safer alternative to eval(only available in Mozilla Firefox 3.5+,Microsoft Internet
            Explorer 8+
           A JSON stringifier goes in the opposite direction, converting JavaScript data structures into JSON text.

       Use GET requests to a JSON endpoint.
           most simple solution is to convert all data JSON requests to POST instead of GET requests
           use unique values to determine that the request for the data actually came from your own site
       One common mitigation is to make sure that your JSON service always returns its response as a non-array
        JSON object.




    7                                                                                          AXP Internal          31-Dec-12
Exploits -
       2006 - It seems like this could be extremely bad as not many people know
        about this vulnerability. After all, if GMail was successfully exploited via this
        vulnerability, who else is vulnerable?
       Twitter – JSON Array Hack




    8                                                  AXP Internal   31-Dec-12

More Related Content

What's hot (20)

PPTX
Broken Linux Performance Tools 2016
Brendan Gregg
 
PDF
Linux Internals - Interview essentials 2.0
Emertxe Information Technologies Pvt Ltd
 
PPTX
Linux.ppt
onu9
 
PDF
Overview Of JDBC
Mindfire Solutions
 
PDF
Kernel Recipes 2017: Using Linux perf at Netflix
Brendan Gregg
 
PPTX
Understanding eBPF in a Hurry!
Ray Jenkins
 
KEY
Vyatta 改造入門
Masakazu Asama
 
PDF
[OpenInfra Days Korea 2018] (Track 4) - Grafana를 이용한 OpenStack 클라우드 성능 모니터링
OpenStack Korea Community
 
PDF
데브시스터즈 데이터 레이크 구축 이야기 : Data Lake architecture case study (박주홍 데이터 분석 및 인프라 팀...
Amazon Web Services Korea
 
PDF
Container Performance Analysis
Brendan Gregg
 
PDF
웹서버 부하테스트 실전 노하우
IMQA
 
PPT
Linux monitoring and Troubleshooting for DBA's
Mydbops
 
PDF
Microkernel Evolution
National Cheng Kung University
 
PDF
Iceberg + Alluxio for Fast Data Analytics
Alluxio, Inc.
 
PDF
[Spring Camp 2018] 11번가 Spring Cloud 기반 MSA로의 전환 : 지난 1년간의 이야기
YongSung Yoon
 
PDF
Linux Performance Analysis: New Tools and Old Secrets
Brendan Gregg
 
PDF
우아한 모노리스
Arawn Park
 
PPTX
EVCache at Netflix
Shashi Shekar Madappa
 
PDF
LISA2019 Linux Systems Performance
Brendan Gregg
 
PDF
서버성능개선 류우림
우림 류
 
Broken Linux Performance Tools 2016
Brendan Gregg
 
Linux Internals - Interview essentials 2.0
Emertxe Information Technologies Pvt Ltd
 
Linux.ppt
onu9
 
Overview Of JDBC
Mindfire Solutions
 
Kernel Recipes 2017: Using Linux perf at Netflix
Brendan Gregg
 
Understanding eBPF in a Hurry!
Ray Jenkins
 
Vyatta 改造入門
Masakazu Asama
 
[OpenInfra Days Korea 2018] (Track 4) - Grafana를 이용한 OpenStack 클라우드 성능 모니터링
OpenStack Korea Community
 
데브시스터즈 데이터 레이크 구축 이야기 : Data Lake architecture case study (박주홍 데이터 분석 및 인프라 팀...
Amazon Web Services Korea
 
Container Performance Analysis
Brendan Gregg
 
웹서버 부하테스트 실전 노하우
IMQA
 
Linux monitoring and Troubleshooting for DBA's
Mydbops
 
Microkernel Evolution
National Cheng Kung University
 
Iceberg + Alluxio for Fast Data Analytics
Alluxio, Inc.
 
[Spring Camp 2018] 11번가 Spring Cloud 기반 MSA로의 전환 : 지난 1년간의 이야기
YongSung Yoon
 
Linux Performance Analysis: New Tools and Old Secrets
Brendan Gregg
 
우아한 모노리스
Arawn Park
 
EVCache at Netflix
Shashi Shekar Madappa
 
LISA2019 Linux Systems Performance
Brendan Gregg
 
서버성능개선 류우림
우림 류
 

Similar to JSON Injection (20)

PPT
Json – java script object notation
Pankaj Srivastava
 
PPT
Json – java script object notation
Dilip Kumar Gupta
 
PPTX
JSON - (English)
Senior Dev
 
PPT
Json
Manav Prasad
 
PDF
Json
soumya
 
PPTX
module 2.pptx for full stack mobile development application on backend applic...
HemaSenthil5
 
PDF
Basics of JSON (JavaScript Object Notation) with examples
Sanjeev Kumar Jaiswal
 
PPTX
Json
Uma mohan
 
PPTX
J s o n
nasifalnahian
 
PPT
Java Script Object Notation (JSON)
Adnan Sohail
 
PPTX
Web Fundamentals: JavaScript Objects Json and XML
kategeg121
 
PPTX
LU 1.3. JSON & XML.pptx about how they work and introduction
niyigenagilbert6
 
PDF
Json tutorial, a beguiner guide
Rafael Montesinos Muñoz
 
PPTX
Json
primeteacher32
 
PDF
Introduction to JSON
Kanda Runapongsa Saikaew
 
Json – java script object notation
Pankaj Srivastava
 
Json – java script object notation
Dilip Kumar Gupta
 
JSON - (English)
Senior Dev
 
Json
soumya
 
module 2.pptx for full stack mobile development application on backend applic...
HemaSenthil5
 
Basics of JSON (JavaScript Object Notation) with examples
Sanjeev Kumar Jaiswal
 
Json
Uma mohan
 
J s o n
nasifalnahian
 
Java Script Object Notation (JSON)
Adnan Sohail
 
Web Fundamentals: JavaScript Objects Json and XML
kategeg121
 
LU 1.3. JSON & XML.pptx about how they work and introduction
niyigenagilbert6
 
Json tutorial, a beguiner guide
Rafael Montesinos Muñoz
 
Introduction to JSON
Kanda Runapongsa Saikaew
 
Ad

More from n|u - The Open Security Community (20)

PDF
Hardware security testing 101 (Null - Delhi Chapter)
n|u - The Open Security Community
 
PPTX
SSRF exploit the trust relationship
n|u - The Open Security Community
 
PDF
Metasploit primary
n|u - The Open Security Community
 
PDF
Api security-testing
n|u - The Open Security Community
 
PDF
Introduction to TLS 1.3
n|u - The Open Security Community
 
PDF
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
n|u - The Open Security Community
 
PDF
Talking About SSRF,CRLF
n|u - The Open Security Community
 
PPTX
Building active directory lab for red teaming
n|u - The Open Security Community
 
PPTX
Owning a company through their logs
n|u - The Open Security Community
 
PPTX
Introduction to shodan
n|u - The Open Security Community
 
PDF
Detecting persistence in windows
n|u - The Open Security Community
 
PPTX
Frida - Objection Tool Usage
n|u - The Open Security Community
 
PDF
OSQuery - Monitoring System Process
n|u - The Open Security Community
 
PDF
DevSecOps Jenkins Pipeline -Security
n|u - The Open Security Community
 
PDF
Extensible markup language attacks
n|u - The Open Security Community
 
PPTX
Linux for hackers
n|u - The Open Security Community
 
PDF
Android Pentesting
n|u - The Open Security Community
 
Hardware security testing 101 (Null - Delhi Chapter)
n|u - The Open Security Community
 
SSRF exploit the trust relationship
n|u - The Open Security Community
 
Api security-testing
n|u - The Open Security Community
 
Introduction to TLS 1.3
n|u - The Open Security Community
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
n|u - The Open Security Community
 
Talking About SSRF,CRLF
n|u - The Open Security Community
 
Building active directory lab for red teaming
n|u - The Open Security Community
 
Owning a company through their logs
n|u - The Open Security Community
 
Introduction to shodan
n|u - The Open Security Community
 
Detecting persistence in windows
n|u - The Open Security Community
 
Frida - Objection Tool Usage
n|u - The Open Security Community
 
OSQuery - Monitoring System Process
n|u - The Open Security Community
 
DevSecOps Jenkins Pipeline -Security
n|u - The Open Security Community
 
Extensible markup language attacks
n|u - The Open Security Community
 
Ad

Recently uploaded (20)

PDF
QNL June Edition hosted by Pragya the official Quiz Club of the University of...
Pragya - UEM Kolkata Quiz Club
 
PDF
Geographical Diversity of India 100 Mcq.pdf/ 7th class new ncert /Social/Samy...
Sandeep Swamy
 
PDF
Aprendendo Arquitetura Framework Salesforce - Dia 03
Mauricio Alexandre Silva
 
PPT
Talk on Critical Theory, Part One, Philosophy of Social Sciences
Soraj Hongladarom
 
PDF
Stokey: A Jewish Village by Rachel Kolsky
History of Stoke Newington
 
PPTX
GRADE-3-PPT-EVE-2025-ENG-Q1-LESSON-1.pptx
EveOdrapngimapNarido
 
PPTX
A PPT on Alfred Lord Tennyson's Ulysses.
Beena E S
 
PDF
Generative AI: it's STILL not a robot (CIJ Summer 2025)
Paul Bradshaw
 
PPTX
PPT-Q1-WK-3-ENGLISH Revised Matatag Grade 3.pptx
reijhongidayawan02
 
PPTX
How to Handle Salesperson Commision in Odoo 18 Sales
Celine George
 
PPTX
Neurodivergent Friendly Schools - Slides from training session
Pooky Knightsmith
 
PPTX
PATIENT ASSIGNMENTS AND NURSING CARE RESPONSIBILITIES.pptx
PRADEEP ABOTHU
 
PDF
ARAL-Orientation_Morning-Session_Day-11.pdf
JoelVilloso1
 
PPTX
How to Manage Large Scrollbar in Odoo 18 POS
Celine George
 
PDF
The Different Types of Non-Experimental Research
Thelma Villaflores
 
PPTX
Identifying elements in the story. Arrange the events in the story
geraldineamahido2
 
PPT
Talk on Critical Theory, Part II, Philosophy of Social Sciences
Soraj Hongladarom
 
PPTX
care of patient with elimination needs.pptx
Rekhanjali Gupta
 
PDF
Exploring the Different Types of Experimental Research
Thelma Villaflores
 
PDF
Knee Extensor Mechanism Injuries - Orthopedic Radiologic Imaging
Sean M. Fox
 
QNL June Edition hosted by Pragya the official Quiz Club of the University of...
Pragya - UEM Kolkata Quiz Club
 
Geographical Diversity of India 100 Mcq.pdf/ 7th class new ncert /Social/Samy...
Sandeep Swamy
 
Aprendendo Arquitetura Framework Salesforce - Dia 03
Mauricio Alexandre Silva
 
Talk on Critical Theory, Part One, Philosophy of Social Sciences
Soraj Hongladarom
 
Stokey: A Jewish Village by Rachel Kolsky
History of Stoke Newington
 
GRADE-3-PPT-EVE-2025-ENG-Q1-LESSON-1.pptx
EveOdrapngimapNarido
 
A PPT on Alfred Lord Tennyson's Ulysses.
Beena E S
 
Generative AI: it's STILL not a robot (CIJ Summer 2025)
Paul Bradshaw
 
PPT-Q1-WK-3-ENGLISH Revised Matatag Grade 3.pptx
reijhongidayawan02
 
How to Handle Salesperson Commision in Odoo 18 Sales
Celine George
 
Neurodivergent Friendly Schools - Slides from training session
Pooky Knightsmith
 
PATIENT ASSIGNMENTS AND NURSING CARE RESPONSIBILITIES.pptx
PRADEEP ABOTHU
 
ARAL-Orientation_Morning-Session_Day-11.pdf
JoelVilloso1
 
How to Manage Large Scrollbar in Odoo 18 POS
Celine George
 
The Different Types of Non-Experimental Research
Thelma Villaflores
 
Identifying elements in the story. Arrange the events in the story
geraldineamahido2
 
Talk on Critical Theory, Part II, Philosophy of Social Sciences
Soraj Hongladarom
 
care of patient with elimination needs.pptx
Rekhanjali Gupta
 
Exploring the Different Types of Experimental Research
Thelma Villaflores
 
Knee Extensor Mechanism Injuries - Orthopedic Radiologic Imaging
Sean M. Fox
 

JSON Injection

  • 1. OWASP Bangalore- Dec 15 2012 JSON INJECTION 1 AXP Internal 31-Dec-12
  • 2. Agenda  What is JSON  JSON Security Concerns  How to secure your application  Exploits 2 AXP Internal 31-Dec-12
  • 3. What is JSON- JavaScript Object Notation  JSON is a is a lightweight, text-based, language-independent data interchange format with parsers available for many languages  JSON has been used to exchange data between applications written in all of these programming languages: ActionScript, C, C#, ColdFusion, Common Lisp, E, Erlang, Java, JavaScript, Lua, Objective CAML, Perl, PHP, Python, Rebol, Ruby, and Scheme.  JSON format is often used for serializing and transmitting structured data over a network connection. It is used primarily to transmit data between a server and web application, serving as an alternative to XML.  JSON is like XML because:  They are both 'self-describing' meaning that values are named, and thus 'human readable'  Both are hierarchical. (i.e. You can have values within values.)  Both can be parsed and used by lots of programming languages  Both can be passed around using AJAX (i.e. httpWebRequest)  JSON is UNlike XML because:  XML uses angle brackets, with a tag name at the start and end of an element: JSON uses squiggly brackets with the name only at the beginning of the element.  JSON is less verbose so it's definitely quicker for humans to write, and probably quicker for us to read.  JSON can be parsed trivially using the eval() procedure in JavaScript  JSON includes arrays {where each element doesn't have a name of its own}  In XML you can use any name you want for an element, in JSON you can't use reserved words from javascript 3 AXP Internal 31-Dec-12
  • 4. What is JSON- continued  How do I use it  Internet media type for JSON is application/json  universal data structures.Virtually all modern programming languages support them in one form or another  JSON is built on two structures:  A collection of name/value pairs. In various languages, this is realized as an object, record, struct, dictionary, hash table, keyed list, or associative array.  An ordered list of values. In most languages, this is realized as an array, vector, list, or sequence. An object is an unordered set of name/value pairs A value can be a string in double quotes, or a number, or true or false or null, or an object or an array. These structures can be nested 4 AXP Internal 31-Dec-12
  • 5. What is JSON- continued An array is an ordered collection of values. An array begins with 5 AXP Internal 31-Dec-12
  • 6. JSON Security Concerns  Because most JSON-formatted text is also syntactically legal JavaScript code, an easy way for a JavaScript program to parse JSON-formatted data is to use the built-in JavaScript eval() function, which was designed to evaluate JavaScript expressions. Rather than using a JSON-specific parser.  Eval() - execute the JSON data to produce native JavaScript objects subject to malicious JavaScript code injection attacks. Also, such breaches of trust may create vulnerabilities for data theft, authentication forgery, and other potential misuse of data and resources  JSON Data Be Stolen or Compromised –JSON Array hack  A trusted website is designed to return some sensitive data as JSON -> http://www.mysite.com/secret-data.json  An attacker creates a evil site which turns the JSON into JavaScript, then sends the data to the attacker  <script src="http://www.mysite.com/secret-data.json" type="text/javascript"></script>  <script type="text/javascript">  var json_data;  Array=function() { json_data=this;}; //turns JSON into an array!  </script>  <script src="http://www.mysite.com/secret-data.json" type="text/javascript"></script>  <script type="text/javascript"> Var i=0;  While(json_data[i++])  { Alert("Found secret data! "+json_data[i]; }  </script>  User logs into trusted site mysite.com as an authenticated user  CSRF: Attacker convinces the user to visit their special site while logged in to the target site. Perhaps by sending a link via email or posting in a favorite message board.  Data is compromised.  Use latest browsers as the setter and getter methods are deprecated limiting the impact 6 AXP Internal 31-Dec-12
  • 7. How to secure your application Using JSON in your application does not make it less secure - it is how you use it which may make you vulnerable.  Regular expressions can be used to validate the data prior to invoking eval(). RFC that defines JSON (RFC 4627) suggests using the following code to validate JSON before eval'ing it  The variable 'text' is the input JSON  var my_JSON_object = !(/[^,:{}[]0-9.-+Eaeflnr-u nrt]/.test( text.replace(/"(.|[^"])*"/g, ''))) && eval('(' + text + ')');  eval function would execute the script, unleashing its malice- use JSON parser & JSON stringifier  A new function, JSON.parse(), was developed as a safer alternative to eval(only available in Mozilla Firefox 3.5+,Microsoft Internet Explorer 8+  A JSON stringifier goes in the opposite direction, converting JavaScript data structures into JSON text.  Use GET requests to a JSON endpoint.  most simple solution is to convert all data JSON requests to POST instead of GET requests  use unique values to determine that the request for the data actually came from your own site  One common mitigation is to make sure that your JSON service always returns its response as a non-array JSON object. 7 AXP Internal 31-Dec-12
  • 8. Exploits -  2006 - It seems like this could be extremely bad as not many people know about this vulnerability. After all, if GMail was successfully exploited via this vulnerability, who else is vulnerable?  Twitter – JSON Array Hack 8 AXP Internal 31-Dec-12