IETF Logo Mail Archive

[Json] Security Considerations

Douglas Crockford <douglas@crockford.com> Thu, 06 June 2013 19:17 UTC

Return-Path: <douglas@crockford.com>
X-Original-To: json@ietfa.amsl.com
Delivered-To: json@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8612C11E80ED for <json@ietfa.amsl.com>; Thu, 6 Jun 2013 12:17:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gXM9wCJNUie3 for <json@ietfa.amsl.com>; Thu, 6 Jun 2013 12:17:14 -0700 (PDT)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.195]) by ietfa.amsl.com (Postfix) with ESMTP id 946C221E8087 for <json@ietf.org>; Thu, 6 Jun 2013 12:17:14 -0700 (PDT)
Received: from [192.168.114.223] ([216.113.168.135]) by mrelay.perfora.net (node=mrus4) with ESMTP (Nemesis) id 0MMTME-1Uk9Zu2u9W-007xEo; Thu, 06 Jun 2013 15:17:13 -0400
Message-ID: <51B0E02E.4070209@crockford.com>
Date: Thu, 06 Jun 2013 12:17:02 -0700
From: Douglas Crockford <douglas@crockford.com>
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version: 1.0
To: "json@ietf.org" <json@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Provags-ID: V02:K0:RbTHixgqCBcyjWF+Oo/YYdggQsj0jA3i7nA7hhj5+hG LJovXNvFFxNDIpy94bAWuV3+jlNaX+oMDdLNnYmchu7awxwCuU o7MW8dc+yVZs0t7pcj1gUdBbS1lokUwVona21pvTK1NRlLUCvj AIjFpbDwLYZQGnqqgt0QpBwiqfpnhg0rGahRKa0wWqyV1YzfPA 7wVEeozliRm1rEdS9u78hqP0BdGfReIk88C7UO4Y1xNvwib5It GkTh1LyLhdhbBzRDZmPuZQc3O4LAgt164IS8tk1qINg5a3/SQD wrTQJjLxCK1VE6blyfRDf/tln+7WVHEO7GV1tDofm4d2lS0Z2h GhZzLnpuZv8y1ODtI5iXCu7YnB3e5N0gtbL1C1Sdt
Subject: [Json] Security Considerations
X-BeenThere: json@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "JavaScript Object Notation \(JSON\) WG mailing list" <json.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/json>, <mailto:json-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/json>
List-Post: <mailto:json@ietf.org>
List-Help: <mailto:json-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/json>, <mailto:json-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jun 2013 19:17:20 -0000

Proposal:

    With any data format, it is important to encode correctly.  Care must
    be taken when constructing JSON texts by concatenation.  For example:

    account = 4627;
    comment = "\",\"account\":262";   // provided by attacker
    json_text = "(\"account\":" + account + ",\"comment\":\"" + comment 
+ "\"}";

    The result will be

    {"account":4627,"comment":"","account":262}

    which some parsers MAY see as being the same as

    {"comment":"","account":262}

    This confusion allows an attacker to modify the account property or
    any other property.

    It is much wiser to use JSON generators, which are available in many
    forms for most programming languages, to do the encoding, avoiding
    the confusion hazard.

    JSON is so similar to some programming languages that the native
    parsing ability of the language processors can be used to parse JSON
    texts.  This should be avoided because the native parser will accept
    code which is not JSON.

    For example, JavaScript's eval() function is able parse JSON text,
    but is can also parse programs.  If an attacker can inject code into
    the JSON text (as we saw above), then it can compromise the system.
    JSON parsers should always be used instead.

v2.23.0 | Report a Bug | By Email