Re: [Json] Security Considerations
Paul Hoffman <paul.hoffman@vpnc.org> Fri, 07 June 2013 21:32 UTC
Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: json@ietfa.amsl.com
Delivered-To: json@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D81A21F9957 for <json@ietfa.amsl.com>; Fri, 7 Jun 2013 14:32:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YScryVRmtcq0 for <json@ietfa.amsl.com>; Fri, 7 Jun 2013 14:32:30 -0700 (PDT)
Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id B0FE621F8B90 for <json@ietf.org>; Fri, 7 Jun 2013 14:32:30 -0700 (PDT)
Received: from [165.227.249.247] (sn80.proper.com [75.101.18.80]) (authenticated bits=0) by hoffman.proper.com (8.14.5/8.14.5) with ESMTP id r57LW1If099149 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Fri, 7 Jun 2013 14:32:02 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <51B20C23.6080303@drees.name>
Date: Fri, 07 Jun 2013 14:32:01 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <3571001A-2D76-4F28-AE1B-0512ACC432B3@vpnc.org>
References: <51B0E02E.4070209@crockford.com> <1BD0044B-D7A6-4C7F-899E-5D3E72C62956@vpnc.org> <51B116FE.9050406@crockford.com> <51B1885F.3080908@drees.name> <9D5D948B-BD1E-4195-9B05-3376D6EFFAEA@vpnc.org> <51B20C23.6080303@drees.name>
To: stefan@drees.name
X-Mailer: Apple Mail (2.1508)
Cc: Douglas Crockford <douglas@crockford.com>, "json@ietf.org" <json@ietf.org>
Subject: Re: [Json] Security Considerations
X-BeenThere: json@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "JavaScript Object Notation \(JSON\) WG mailing list" <json.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/json>, <mailto:json-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/json>
List-Post: <mailto:json@ietf.org>
List-Help: <mailto:json-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/json>, <mailto:json-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Jun 2013 21:32:31 -0000
On Jun 7, 2013, at 9:36 AM, Stefan Drees <stefan@drees.name> wrote: > On 2013-06-07 17:58, Paul Hoffman wrote: >> >> On Jun 7, 2013, at 12:14 AM, Stefan Drees <stefan@drees.name> wrote: >> >>> On 07.06.13 01:10, Douglas Crockford wrote: >>>> On 6/6/2013 4:04 PM, Paul Hoffman wrote: >>>>> >>>>> On Jun 6, 2013, at 12:17 PM, Douglas Crockford <douglas@crockford.com> >>>>> wrote: >>>>> >>>>>> Proposal: >>>>>> >>>>>> With any data format, it is important to encode correctly. Care must >>>>>> be taken when constructing JSON texts by concatenation. For example: >>>>>> >>>>>> account = 4627; >>>>>> comment = "\",\"account\":262"; // provided by attacker >>>>>> json_text = "(\"account\":" + account + ",\"comment\":\"" + >>>>>> comment + "\"}"; >>>>> The example is language-specific and, due to the escaping, hard to read. >>>> Which specific language would you say it is? Confusion attacks are often >>>> hard to read. That is why they work. ... >>> >>> I propose to keep the example, but remove the need for quoting by switching to single quotes where needed: >>> >>> """ >>> account = 4627; >>> comment = '","account":262'; // provided by attacker >>> json_text = '("account":' + account + ',"comment":"' + comment + '"}'; >>> """ >>> >>> this is valid (Java|ECMA)Script, right and also much more readable, isn't it? >> >> I can live with this, but I think doing it in English wording is better. > > Proposal in English wording: > > replace > OLD(++): > """ > With any data format, it is important to encode correctly. Care must > be taken when constructing JSON texts by concatenation. For example: > > account = 4627; > comment = '","account":262'; // provided by attacker > json_text = '("account":' + account + ',"comment":"' + comment + '"}'; > > """ > > with: > NEW: > """ > With any data format, it is important to encode correctly. Care must > be taken when constructing JSON texts by concatenation in part from untrusted data, this data may inject a mix of structural characters and quotes, that changes the structure of the resulting JSON text. > For example: When trying to compose an object like > {"account": 4627, "comment": "foo"} from user input data for "foo", the attacking user might instead inject ","account":262,"comment":"hacked so that the resulting naively concatenated JSON text would become: > {"account": 4627, "comment": "","account":262,"comment":"hacked"} > > > """ > > What do you think? I'm liking that more, but we still have quoting problems. They can be solved by linebreaks. For example: When trying to compose an object such as: {"account": 4627, "comment": "foo"} from user input data for "foo", the attacker might instead inject the text: ","account":262,"comment":"hacked so that the resulting naively concatenated JSON text would become: {"account": 4627, "comment": "","account":262,"comment":"hacked"} --Paul Hoffman
- [Json] Security Considerations Douglas Crockford
- Re: [Json] Security Considerations Gonzalo Salgueiro
- Re: [Json] Security Considerations Paul Hoffman
- Re: [Json] Security Considerations Peter Brooks
- Re: [Json] Security Considerations Paul Hoffman
- Re: [Json] Security Considerations Carsten Bormann
- [Json] Security Considerations Douglas Crockford
- Re: [Json] Security Considerations Stephan Beal
- Re: [Json] Security Considerations John Levine
- Re: [Json] Security Considerations Paul Hoffman
- Re: [Json] Security Considerations Douglas Crockford
- Re: [Json] Security Considerations Peter Brooks
- Re: [Json] Security Considerations Stefan Drees
- Re: [Json] Security Considerations Stefan Drees
- Re: [Json] Description of parsers Stefan Drees
- Re: [Json] Security Considerations Paul Hoffman
- Re: [Json] Security Considerations Paul Hoffman
- Re: [Json] Security Considerations Stefan Drees
- Re: [Json] Security Considerations Paul Hoffman
- Re: [Json] Security Considerations Peter brooks
- Re: [Json] Security Considerations John Cowan
- Re: [Json] Security Considerations Peter brooks
- Re: [Json] Security Considerations Stefan Drees
- Re: [Json] Security Considerations Stefan Drees
- Re: [Json] Security Considerations Eliot Lear
- Re: [Json] Security Considerations Stefan Drees
- Re: [Json] Security Considerations John Levine
- Re: [Json] Security Considerations Stefan Drees
- [Json] Description of parsers Paul Hoffman
- Re: [Json] Description of parsers Stefan Drees
- Re: [Json] Description of parsers Carsten Bormann