[Json] Security Considerations
Douglas Crockford <douglas@crockford.com> Thu, 06 June 2013 19:17 UTC
Return-Path: <douglas@crockford.com>
X-Original-To: json@ietfa.amsl.com
Delivered-To: json@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8612C11E80ED for <json@ietfa.amsl.com>; Thu, 6 Jun 2013 12:17:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gXM9wCJNUie3 for <json@ietfa.amsl.com>; Thu, 6 Jun 2013 12:17:14 -0700 (PDT)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.195]) by ietfa.amsl.com (Postfix) with ESMTP id 946C221E8087 for <json@ietf.org>; Thu, 6 Jun 2013 12:17:14 -0700 (PDT)
Received: from [192.168.114.223] ([216.113.168.135]) by mrelay.perfora.net (node=mrus4) with ESMTP (Nemesis) id 0MMTME-1Uk9Zu2u9W-007xEo; Thu, 06 Jun 2013 15:17:13 -0400
Message-ID: <51B0E02E.4070209@crockford.com>
Date: Thu, 06 Jun 2013 12:17:02 -0700
From: Douglas Crockford <douglas@crockford.com>
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version: 1.0
To: "json@ietf.org" <json@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Provags-ID: V02:K0:RbTHixgqCBcyjWF+Oo/YYdggQsj0jA3i7nA7hhj5+hG LJovXNvFFxNDIpy94bAWuV3+jlNaX+oMDdLNnYmchu7awxwCuU o7MW8dc+yVZs0t7pcj1gUdBbS1lokUwVona21pvTK1NRlLUCvj AIjFpbDwLYZQGnqqgt0QpBwiqfpnhg0rGahRKa0wWqyV1YzfPA 7wVEeozliRm1rEdS9u78hqP0BdGfReIk88C7UO4Y1xNvwib5It GkTh1LyLhdhbBzRDZmPuZQc3O4LAgt164IS8tk1qINg5a3/SQD wrTQJjLxCK1VE6blyfRDf/tln+7WVHEO7GV1tDofm4d2lS0Z2h GhZzLnpuZv8y1ODtI5iXCu7YnB3e5N0gtbL1C1Sdt
Subject: [Json] Security Considerations
X-BeenThere: json@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "JavaScript Object Notation \(JSON\) WG mailing list" <json.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/json>, <mailto:json-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/json>
List-Post: <mailto:json@ietf.org>
List-Help: <mailto:json-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/json>, <mailto:json-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jun 2013 19:17:20 -0000
Proposal: With any data format, it is important to encode correctly. Care must be taken when constructing JSON texts by concatenation. For example: account = 4627; comment = "\",\"account\":262"; // provided by attacker json_text = "(\"account\":" + account + ",\"comment\":\"" + comment + "\"}"; The result will be {"account":4627,"comment":"","account":262} which some parsers MAY see as being the same as {"comment":"","account":262} This confusion allows an attacker to modify the account property or any other property. It is much wiser to use JSON generators, which are available in many forms for most programming languages, to do the encoding, avoiding the confusion hazard. JSON is so similar to some programming languages that the native parsing ability of the language processors can be used to parse JSON texts. This should be avoided because the native parser will accept code which is not JSON. For example, JavaScript's eval() function is able parse JSON text, but is can also parse programs. If an attacker can inject code into the JSON text (as we saw above), then it can compromise the system. JSON parsers should always be used instead.
- [Json] Security Considerations Douglas Crockford
- Re: [Json] Security Considerations Gonzalo Salgueiro
- Re: [Json] Security Considerations Paul Hoffman
- Re: [Json] Security Considerations Peter Brooks
- Re: [Json] Security Considerations Paul Hoffman
- Re: [Json] Security Considerations Carsten Bormann
- [Json] Security Considerations Douglas Crockford
- Re: [Json] Security Considerations Stephan Beal
- Re: [Json] Security Considerations John Levine
- Re: [Json] Security Considerations Paul Hoffman
- Re: [Json] Security Considerations Douglas Crockford
- Re: [Json] Security Considerations Peter Brooks
- Re: [Json] Security Considerations Stefan Drees
- Re: [Json] Security Considerations Stefan Drees
- Re: [Json] Description of parsers Stefan Drees
- Re: [Json] Security Considerations Paul Hoffman
- Re: [Json] Security Considerations Paul Hoffman
- Re: [Json] Security Considerations Stefan Drees
- Re: [Json] Security Considerations Paul Hoffman
- Re: [Json] Security Considerations Peter brooks
- Re: [Json] Security Considerations John Cowan
- Re: [Json] Security Considerations Peter brooks
- Re: [Json] Security Considerations Stefan Drees
- Re: [Json] Security Considerations Stefan Drees
- Re: [Json] Security Considerations Eliot Lear
- Re: [Json] Security Considerations Stefan Drees
- Re: [Json] Security Considerations John Levine
- Re: [Json] Security Considerations Stefan Drees
- [Json] Description of parsers Paul Hoffman
- Re: [Json] Description of parsers Stefan Drees
- Re: [Json] Description of parsers Carsten Bormann