null Banglore Chapter - December 2012 Meet

1. OWASP Bangalore- Dec 15 2012
JSON INJECTION
1 AXP Internal 31-Dec-12

2. Agenda
 What is JSON
 JSON Security Concerns
 How to secure your application
 Exploits
2 AXP Internal 31-Dec-12

3. What is JSON- JavaScript Object Notation
 JSON is a is a lightweight, text-based, language-independent data
interchange format with parsers available for many languages
 JSON has been used to exchange data between applications written in all
of these programming languages: ActionScript, C, C#, ColdFusion,
Common Lisp, E, Erlang, Java, JavaScript, Lua, Objective CAML, Perl, PHP,
Python, Rebol, Ruby, and Scheme.
 JSON format is often used for serializing and transmitting structured
data over a network connection. It is used primarily to transmit data
between a server and web application, serving as an alternative to XML.
 JSON is like XML because:
 They are both 'self-describing' meaning that values are named, and thus 'human readable'
 Both are hierarchical. (i.e. You can have values within values.)
 Both can be parsed and used by lots of programming languages
 Both can be passed around using AJAX (i.e. httpWebRequest)
 JSON is UNlike XML because:
 XML uses angle brackets, with a tag name at the start and end of an element: JSON uses squiggly brackets with the
name only at the beginning of the element.
 JSON is less verbose so it's definitely quicker for humans to write, and probably quicker for us to read.
 JSON can be parsed trivially using the eval() procedure in JavaScript
 JSON includes arrays {where each element doesn't have a name of its own}
 In XML you can use any name you want for an element, in JSON you can't use reserved words from javascript
3 AXP Internal 31-Dec-12

4. What is JSON- continued
 How do I use it
 Internet media type for JSON is application/json
 universal data structures.Virtually all modern programming languages support them in one form or another
 JSON is built on two structures:
 A collection of name/value pairs. In various languages, this is realized as an object, record, struct, dictionary, hash table, keyed list, or
associative array.
 An ordered list of values. In most languages, this is realized as an array, vector, list, or sequence.
An object is an unordered set of name/value pairs
A value can be a string in double quotes, or a number,
or true or false or null, or an object or an array.
These structures can be nested
4 AXP Internal 31-Dec-12

5. What is JSON- continued
An array is an ordered collection of values. An
array begins with
5 AXP Internal 31-Dec-12

6. JSON Security Concerns
 Because most JSON-formatted text is also syntactically legal JavaScript code, an easy way for a JavaScript
program to parse JSON-formatted data is to use the built-in JavaScript eval() function, which was designed
to evaluate JavaScript expressions. Rather than using a JSON-specific parser.
 Eval() - execute the JSON data to produce native JavaScript objects subject to malicious JavaScript code injection
attacks. Also, such breaches of trust may create vulnerabilities for data theft, authentication forgery, and other potential
misuse of data and resources
 JSON Data Be Stolen or Compromised –JSON Array hack
 A trusted website is designed to return some sensitive data as JSON -> http://www.mysite.com/secret-data.json
 An attacker creates a evil site which turns the JSON into JavaScript, then sends the data to the attacker
 <script src="http://www.mysite.com/secret-data.json" type="text/javascript"></script>
 <script type="text/javascript">
 var json_data;
 Array=function() { json_data=this;}; //turns JSON into an array!
 </script>
 <script src="http://www.mysite.com/secret-data.json" type="text/javascript"></script>
 <script type="text/javascript"> Var i=0;
 While(json_data[i++])
 { Alert("Found secret data! "+json_data[i]; }
 </script>
 User logs into trusted site mysite.com as an authenticated user
 CSRF: Attacker convinces the user to visit their special site while logged in to the target site. Perhaps by sending a link via
email or posting in a favorite message board.
 Data is compromised.
 Use latest browsers as the setter and getter methods are deprecated limiting the impact
6 AXP Internal 31-Dec-12

7. How to secure your application
Using JSON in your application does not make it less secure - it is how you use it which may
make you vulnerable.
 Regular expressions can be used to validate the data prior to invoking eval(). RFC that defines JSON (RFC
4627) suggests using the following code to validate JSON before eval'ing it
 The variable 'text' is the input JSON
 var my_JSON_object = !(/[^,:{}[]0-9.-+Eaeflnr-u nrt]/.test( text.replace(/"(.|[^"])*"/g, ''))) && eval('(' + text + ')');
 eval function would execute the script, unleashing its malice- use JSON parser & JSON stringifier
 A new function, JSON.parse(), was developed as a safer alternative to eval(only available in Mozilla Firefox 3.5+,Microsoft Internet
Explorer 8+
 A JSON stringifier goes in the opposite direction, converting JavaScript data structures into JSON text.
 Use GET requests to a JSON endpoint.
 most simple solution is to convert all data JSON requests to POST instead of GET requests
 use unique values to determine that the request for the data actually came from your own site
 One common mitigation is to make sure that your JSON service always returns its response as a non-array
JSON object.
7 AXP Internal 31-Dec-12

8. Exploits -
 2006 - It seems like this could be extremely bad as not many people know
about this vulnerability. After all, if GMail was successfully exploited via this
vulnerability, who else is vulnerable?
 Twitter – JSON Array Hack
8 AXP Internal 31-Dec-12