IETF Logo Mail Archive

Re: [Json] Security Considerations

Stefan Drees <stefan@drees.name> Fri, 07 June 2013 16:37 UTC

Return-Path: <stefan@drees.name>
X-Original-To: json@ietfa.amsl.com
Delivered-To: json@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15E4921F9704 for <json@ietfa.amsl.com>; Fri, 7 Jun 2013 09:37:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.199
X-Spam-Level:
X-Spam-Status: No, score=-2.199 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zDJjAX+vSWkI for <json@ietfa.amsl.com>; Fri, 7 Jun 2013 09:37:02 -0700 (PDT)
Received: from mout.web.de (mout.web.de [212.227.17.11]) by ietfa.amsl.com (Postfix) with ESMTP id 69A1E21F88A9 for <json@ietf.org>; Fri, 7 Jun 2013 09:37:00 -0700 (PDT)
Received: from newyork.local.box ([93.129.186.5]) by smtp.web.de (mrweb001) with ESMTPSA (Nemesis) id 0LkyXt-1UDIzx2pW9-00al5Y; Fri, 07 Jun 2013 18:36:53 +0200
Message-ID: <51B20C23.6080303@drees.name>
Date: Fri, 07 Jun 2013 18:36:51 +0200
From: Stefan Drees <stefan@drees.name>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version: 1.0
To: Paul Hoffman <paul.hoffman@vpnc.org>
References: <51B0E02E.4070209@crockford.com> <1BD0044B-D7A6-4C7F-899E-5D3E72C62956@vpnc.org> <51B116FE.9050406@crockford.com> <51B1885F.3080908@drees.name> <9D5D948B-BD1E-4195-9B05-3376D6EFFAEA@vpnc.org>
In-Reply-To: <9D5D948B-BD1E-4195-9B05-3376D6EFFAEA@vpnc.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:gP+tyzfUhEUgudcSV0KYCT7OANEsRlvWiTkxGaFCMF0a0KFTJ08 VtuwE67Fi/qY52UuPlb8Rss722Te/TUlxF6EYAFHV69jW9085IJ6LBaRQsMzsb6EwKCxFY4 G5Hz/Dp5muivPTaaSS6PkieulZUIKvgR5Bj0mCVsWJivdgnw21E4zJ+32qxJz9wQn7hbgJN 4fqVqf/VjoNmhsNZnRA2Q==
Cc: Douglas Crockford <douglas@crockford.com>, "json@ietf.org" <json@ietf.org>
Subject: Re: [Json] Security Considerations
X-BeenThere: json@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: stefan@drees.name
List-Id: "JavaScript Object Notation \(JSON\) WG mailing list" <json.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/json>, <mailto:json-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/json>
List-Post: <mailto:json@ietf.org>
List-Help: <mailto:json-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/json>, <mailto:json-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Jun 2013 16:37:08 -0000

On 2013-06-07 17:58, Paul Hoffman wrote:
>
> On Jun 7, 2013, at 12:14 AM, Stefan Drees <stefan@drees.name> wrote:
>
>> On 07.06.13 01:10, Douglas Crockford wrote:
>>> On 6/6/2013 4:04 PM, Paul Hoffman wrote:
>>>>
>>>> On Jun 6, 2013, at 12:17 PM, Douglas Crockford <douglas@crockford.com>
>>>> wrote:
>>>>
>>>>> Proposal:
>>>>>
>>>>>    With any data format, it is important to encode correctly.  Care must
>>>>>    be taken when constructing JSON texts by concatenation.  For example:
>>>>>
>>>>>    account = 4627;
>>>>>    comment = "\",\"account\":262";   // provided by attacker
>>>>>    json_text = "(\"account\":" + account + ",\"comment\":\"" +
>>>>> comment + "\"}";
>>>> The example is language-specific and, due to the escaping, hard to read.
>>> Which specific language would you say it is? Confusion attacks are often
>>> hard to read. That is why they work. ...
>>
>> I propose to keep the example, but remove the need for quoting by switching to single quotes where needed:
>>
>> """
>> account = 4627;
>> comment = '","account":262';  // provided by attacker
>> json_text = '("account":' + account + ',"comment":"' + comment + '"}';
>> """
>>
>> this is valid (Java|ECMA)Script, right and also much more readable, isn't it?
>
> I can live with this, but I think doing it in English wording is better.

Proposal in English wording:

replace
OLD(++):
"""
With any data format, it is important to encode correctly.  Care must
be taken when constructing JSON texts by concatenation.  For example:

account = 4627;
comment = '","account":262';  // provided by attacker
json_text = '("account":' + account + ',"comment":"' + comment + '"}';

"""

with:
NEW:
"""
With any data format, it is important to encode correctly.  Care must
be taken when constructing JSON texts by concatenation in part from 
untrusted data, this data may inject a mix of structural characters and 
quotes, that changes the structure of the resulting JSON text.
For example: When trying to compose an object like
{"account": 4627, "comment": "foo"} from user input data for "foo", the 
attacking user might instead inject ","account":262,"comment":"hacked so 
that the resulting naively concatenated JSON text would become:
{"account": 4627, "comment": "","account":262,"comment":"hacked"}


"""

What do you think?

All the best,
Stefan.

v2.23.0 | Report a Bug | By Email