Hello security enthusiasts, I recently had an opportunity to attend a webinar on JSON security by ASPECT Security Inc. Here are excerpts from the webinar. Please sped sometime to go through the article to understand JSON and its security controls.
Agenda was an introduction to JSON & how it operates, past attacks against JSON based applications, Best practices and security controls and the future of JSON. You may want to refresh your knowledge on SOP (same origin policy) and CORS ( Cross Origin Resource Sharing)
Example of JSON (Name : Value)
“firstName” : “ John”,
“lastName” : “Smith”,
“StreetAddress”: “ 21 2nd street”,
“ZipCode” : “10021”
C) Past Attacks on JSON and Mitigations: There have been attacks in the past exposing the vulnerabilities introduced with the use of JSON in an insecure manner. Array attack, Object attack, Rosetta attack etc. exploited the vulnerabilities and resulted in revealing sensitive information. Various mitigations got proposed based on these attacks few which are as below
c) Use CSRF tokens in all JSON requests ensuring that the request is a valid one
More details on Rosetta Flash attack which was realized using JSONP can be found on below links https://www.youtube.com/watch?v=2ZiH4x9kJ6E Discovered and presented by the researcher Michele Spannuolo
D) Securing JSON applications:
a) Controls on the server. There really isn’t anything special about JSON which needs the same controls as any other endpoints
- Authentication – Who is calling our service?
- Authorization – Does the caller have the permission to call the service? Does the caller have the permission to act on the requested data?
- CSTF protection – Is the request legitimate?
- Output encoding/ escaping – Always surround property names with quotes, always surround property values with quotes, escape special characters ( single quote ; Double quote ; backslashes)
- User Parsers – Don’t dynamically create your own JSON strings
- Include attack mitigations in your responses – POST only+ CSRF tokens ; Response Headers+ prepended comments
b) Controls on the client (Browser)
- Use a standard framework – angularJS, Backbone.js, Knockout, Ember, jQuery
- Don’t use unsafe functions – eval() is Evil !
- Use JSON.parse() and JSON.stringify()
General Principles when using JSON/JSOMP includes authentication and authorization contols, use of HTTPS. Never trust the browser, it cannot keep and will not protect your secrets. Keep your critical processes on server. Keep Data clean and use trusted parsers instead of unsafe functions. Also remember that Script and Object tags are special. They bypass the Same Origin Policy by Design.
E) Future of JSON
With the increased usage of JSON in protocols in the IETF and elsewhere, there is now a desire to offer security services, which use encryption, digital signatures, message authentication codes (MACs)
algorithms, that carry their data in JSON format. ( Source: https://datatracker.ietf.org/wg/jose/documents/ )
JSON Web signature –RC 7515 : JWS represents content secured with digital signatures or message authentication codes (MACs) using JSON-based data structures.
JSON Web Encryption – RFC 7516 : JWE represents encrypted content using JSON-based data structures
JSON Web Key –RFC 7517 : JWK is a Jason data structure that represents a cryptographic key.