Re: [Json] Security Considerations
Stefan Drees <stefan@drees.name> Fri, 07 June 2013 16:37 UTC
Return-Path: <stefan@drees.name>
X-Original-To: json@ietfa.amsl.com
Delivered-To: json@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15E4921F9704 for <json@ietfa.amsl.com>; Fri, 7 Jun 2013 09:37:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.199
X-Spam-Level:
X-Spam-Status: No, score=-2.199 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zDJjAX+vSWkI for <json@ietfa.amsl.com>; Fri, 7 Jun 2013 09:37:02 -0700 (PDT)
Received: from mout.web.de (mout.web.de [212.227.17.11]) by ietfa.amsl.com (Postfix) with ESMTP id 69A1E21F88A9 for <json@ietf.org>; Fri, 7 Jun 2013 09:37:00 -0700 (PDT)
Received: from newyork.local.box ([93.129.186.5]) by smtp.web.de (mrweb001) with ESMTPSA (Nemesis) id 0LkyXt-1UDIzx2pW9-00al5Y; Fri, 07 Jun 2013 18:36:53 +0200
Message-ID: <51B20C23.6080303@drees.name>
Date: Fri, 07 Jun 2013 18:36:51 +0200
From: Stefan Drees <stefan@drees.name>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version: 1.0
To: Paul Hoffman <paul.hoffman@vpnc.org>
References: <51B0E02E.4070209@crockford.com> <1BD0044B-D7A6-4C7F-899E-5D3E72C62956@vpnc.org> <51B116FE.9050406@crockford.com> <51B1885F.3080908@drees.name> <9D5D948B-BD1E-4195-9B05-3376D6EFFAEA@vpnc.org>
In-Reply-To: <9D5D948B-BD1E-4195-9B05-3376D6EFFAEA@vpnc.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:gP+tyzfUhEUgudcSV0KYCT7OANEsRlvWiTkxGaFCMF0a0KFTJ08 VtuwE67Fi/qY52UuPlb8Rss722Te/TUlxF6EYAFHV69jW9085IJ6LBaRQsMzsb6EwKCxFY4 G5Hz/Dp5muivPTaaSS6PkieulZUIKvgR5Bj0mCVsWJivdgnw21E4zJ+32qxJz9wQn7hbgJN 4fqVqf/VjoNmhsNZnRA2Q==
Cc: Douglas Crockford <douglas@crockford.com>, "json@ietf.org" <json@ietf.org>
Subject: Re: [Json] Security Considerations
X-BeenThere: json@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: stefan@drees.name
List-Id: "JavaScript Object Notation \(JSON\) WG mailing list" <json.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/json>, <mailto:json-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/json>
List-Post: <mailto:json@ietf.org>
List-Help: <mailto:json-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/json>, <mailto:json-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Jun 2013 16:37:08 -0000
On 2013-06-07 17:58, Paul Hoffman wrote: > > On Jun 7, 2013, at 12:14 AM, Stefan Drees <stefan@drees.name> wrote: > >> On 07.06.13 01:10, Douglas Crockford wrote: >>> On 6/6/2013 4:04 PM, Paul Hoffman wrote: >>>> >>>> On Jun 6, 2013, at 12:17 PM, Douglas Crockford <douglas@crockford.com> >>>> wrote: >>>> >>>>> Proposal: >>>>> >>>>> With any data format, it is important to encode correctly. Care must >>>>> be taken when constructing JSON texts by concatenation. For example: >>>>> >>>>> account = 4627; >>>>> comment = "\",\"account\":262"; // provided by attacker >>>>> json_text = "(\"account\":" + account + ",\"comment\":\"" + >>>>> comment + "\"}"; >>>> The example is language-specific and, due to the escaping, hard to read. >>> Which specific language would you say it is? Confusion attacks are often >>> hard to read. That is why they work. ... >> >> I propose to keep the example, but remove the need for quoting by switching to single quotes where needed: >> >> """ >> account = 4627; >> comment = '","account":262'; // provided by attacker >> json_text = '("account":' + account + ',"comment":"' + comment + '"}'; >> """ >> >> this is valid (Java|ECMA)Script, right and also much more readable, isn't it? > > I can live with this, but I think doing it in English wording is better. Proposal in English wording: replace OLD(++): """ With any data format, it is important to encode correctly. Care must be taken when constructing JSON texts by concatenation. For example: account = 4627; comment = '","account":262'; // provided by attacker json_text = '("account":' + account + ',"comment":"' + comment + '"}'; """ with: NEW: """ With any data format, it is important to encode correctly. Care must be taken when constructing JSON texts by concatenation in part from untrusted data, this data may inject a mix of structural characters and quotes, that changes the structure of the resulting JSON text. For example: When trying to compose an object like {"account": 4627, "comment": "foo"} from user input data for "foo", the attacking user might instead inject ","account":262,"comment":"hacked so that the resulting naively concatenated JSON text would become: {"account": 4627, "comment": "","account":262,"comment":"hacked"} """ What do you think? All the best, Stefan.
- [Json] Security Considerations Douglas Crockford
- Re: [Json] Security Considerations Gonzalo Salgueiro
- Re: [Json] Security Considerations Paul Hoffman
- Re: [Json] Security Considerations Peter Brooks
- Re: [Json] Security Considerations Paul Hoffman
- Re: [Json] Security Considerations Carsten Bormann
- [Json] Security Considerations Douglas Crockford
- Re: [Json] Security Considerations Stephan Beal
- Re: [Json] Security Considerations John Levine
- Re: [Json] Security Considerations Paul Hoffman
- Re: [Json] Security Considerations Douglas Crockford
- Re: [Json] Security Considerations Peter Brooks
- Re: [Json] Security Considerations Stefan Drees
- Re: [Json] Security Considerations Stefan Drees
- Re: [Json] Description of parsers Stefan Drees
- Re: [Json] Security Considerations Paul Hoffman
- Re: [Json] Security Considerations Paul Hoffman
- Re: [Json] Security Considerations Stefan Drees
- Re: [Json] Security Considerations Paul Hoffman
- Re: [Json] Security Considerations Peter brooks
- Re: [Json] Security Considerations John Cowan
- Re: [Json] Security Considerations Peter brooks
- Re: [Json] Security Considerations Stefan Drees
- Re: [Json] Security Considerations Stefan Drees
- Re: [Json] Security Considerations Eliot Lear
- Re: [Json] Security Considerations Stefan Drees
- Re: [Json] Security Considerations John Levine
- Re: [Json] Security Considerations Stefan Drees
- [Json] Description of parsers Paul Hoffman
- Re: [Json] Description of parsers Stefan Drees
- Re: [Json] Description of parsers Carsten Bormann