JSON Security

Hello security enthusiasts, I recently had an opportunity to attend a webinar on JSON security by ASPECT Security Inc. Here are excerpts from the webinar. Please sped sometime to go through the article to understand JSON and its security controls.

Agenda was an introduction to JSON & how it operates, past attacks against JSON based applications, Best practices and security controls and the future of JSON. You may want to refresh your knowledge on SOP (same origin policy) and CORS ( Cross Origin Resource Sharing)

A) JSON ( JavaScript Object Notation)  is a data interchange format. It is used in transmission of data between machines. Since it carries only data, it is security neutral. The security of systems that use JSON is determined by the quality of the design of those systems. JSON itself introduces no vulnerabilities. (source: http://yuiblog.com/blog/ 2007/04/10/json-and-browser-security/). To summarize what JSON is a) it is a data interchange format used to convey information between systems much like XML, HTTP parameters, SOAP etc. It is part of JavaScript language and can be interpreted and executed as a valid JavaScript

B) Executing JSON : You are more vulnerable to attacks if using eval: which was the most common way to parse JSON. This is not inherently sage to use with untrusted data( user input or data from database).. JSON.parse()/ JSON.stringify() which used to be available only as a JS library now is a part of JS language. This helps safely convert JSON to JS objects (http://json.org ). Use of JSON is a subset of Javascript and json.parse just parses JSON whereas eval: would leave the door open to all JS expressions

 Example of JSON (Name : Value)

               {

                   “firstName” : “ John”,
                    “lastName” : “Smith”,
                    “age”: “25”,
                    “address”: {
                                    “StreetAddress”: “ 21 2nd street”,
                                    “City”: “NewYork”,
                                    “State”: “NY”,
                                    “ZipCode” : “10021”
                                    }
             },

C) Past Attacks on JSON and Mitigations: There have been attacks in the past exposing the vulnerabilities introduced with the use of JSON in an insecure manner. Array attack, Object attack, Rosetta attack etc. exploited the vulnerabilities and resulted in revealing sensitive information.  Various mitigations got proposed based on these attacks few which are as below

a) Retrieve JSON data using POST requests – don’t return JSON data from a GET request. JavaScript & XmlHttpRequest must respect the SOP (Same Origin Policy) unless CORS is enabled for the attacking domain

 b) Return JSON data as an Object – don’t return JSON data in arrays. Objects are seen as code blocks with lables, JavaScript parser throws an error (stops executing) whenever there is an array attack

c) Use CSRF tokens in all JSON requests ensuring that the request is a valid one

Rosetta attack & JSONP : JSONP or JSON with padding is a communication technique used in JavaScript programs running in web browsers to request data from a server in a different domain, something prohibited by typical web browsers because of the same origin policy. JSONP takes advantage of the fact that browsers do not enforce the sane-origin policy on <script> tags. Since it works through <script> tags, JSONP supports only GET request method.

More details on Rosetta Flash attack which was realized using JSONP can be found on below links https://www.youtube.com/watch?v=2ZiH4x9kJ6E Discovered and presented by the researcher Michele Spannuolo

D) Securing JSON applications: 

a) Controls on the server.  There really isn’t anything special about JSON which needs the same   controls as any other endpoints

  1. Authentication – Who is calling our service?
  2. Authorization – Does the caller have the permission to call the service? Does the caller have the permission to act on the requested data?
  3. CSTF protection – Is the request legitimate?
  4. Output encoding/ escaping – Always surround property names with quotes, always surround property values with quotes, escape special characters ( single quote  ; Double quote ; backslashes)
  5. User Parsers – Don’t dynamically create your own JSON strings
  6. Include attack mitigations in your responses – POST only+ CSRF tokens ; Response Headers+ prepended comments

b) Controls on the client (Browser)

  1. Use a standard framework – angularJS, Backbone.js, Knockout, Ember, jQuery
  2. Don’t use unsafe functions – eval() is Evil !
  3. Use JSON.parse() and JSON.stringify()

General Principles when using JSON/JSOMP includes authentication and authorization contols, use of HTTPS. Never trust the browser, it cannot keep and will not protect your secrets. Keep your critical processes on server. Keep Data clean and use trusted parsers instead of unsafe functions. Also remember that Script and Object tags are special. They bypass the Same Origin Policy by Design.

E) Future of JSON

With the increased usage of JSON in protocols in the IETF and elsewhere, there is now a desire to offer security services, which use encryption, digital signatures, message authentication codes (MACs)
algorithms, that carry their data in JSON format. ( Source: https://datatracker.ietf.org/wg/jose/documents/ )

JSON Web signature –RC 7515 : JWS represents content secured with digital signatures or message authentication codes (MACs) using JSON-based data structures.

JSON Web Encryption – RFC 7516 : JWE represents encrypted content using JSON-based data structures

JSON Web Key –RFC 7517 : JWK is a Jason data structure that represents a cryptographic key.

Rate this article: 
Average: 3.3 (7 votes)
Article category: