JSON and Security

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • vunet
    #1

    JSON and Security

    When implementing JSON as a form of data exchange between server and
    client, what security measures do I need to consider? For example, I
    have XMLHttpRequest returning JSON text from the server and eval()
    converts string to the JavaScript object. I heard about problems with
    "eval" and idea of using "magic cookies" to avoid attacks. Anyway,
    what should I consider?
    Thanks.
    Tags: None
    • Stevo
      #2
      Re: JSON and Security

      vunet wrote:
      When implementing JSON as a form of data exchange between server and
      client, what security measures do I need to consider? For example, I
      have XMLHttpRequest returning JSON text from the server and eval()
      converts string to the JavaScript object. I heard about problems with
      "eval" and idea of using "magic cookies" to avoid attacks. Anyway,
      what should I consider?
      Thanks.
      Quite a few topics on it here:

      json security eval - Google Suche
      http://www.google.com/search?q=json+security+eval

        Comment

        • Krukow
          #3
          Re: JSON and Security

          On 14 Feb., 21:04, Stevo <ple...@spam-me.comwrote:
          vunet wrote:
          When implementing JSON as a form of data exchange between server and
          client, what security measures do I need to consider? For example, I
          have XMLHttpRequest returning JSON text from the server and eval()
          converts string to the JavaScript object. I heard about problems with
          "eval" and idea of using "magic cookies" to avoid attacks. Anyway,
          what should I consider?

          This blog post (including the referenced paper) and the following
          discussions are quite useful:

          JavaScript Hijacking - Schneier on Security
          http://www.schneier.com/blog/archives/2007/04/javascript_hija_1.html
          Interesting paper on JavaScript Hijacking: a new type of eavesdropping attack against Ajax-style Web applications. I’m pretty sure it’s the first type of attack that specifically targets Ajax code. The attack is possible because Web browsers don’t protect JavaScript the same way they protect HTML; if a Web application transfers confidential data using messages written in JavaScript, in some cases the messages can be read by an attacker. The authors show that many popular Ajax programming frameworks do nothing to prevent JavaScript hijacking. Some actually ...


          The above (including links) is where to go, but my understanding is
          the following:

          Basically, there isn't anything insecure about JSON by itself; just
          make sure you check that it is actually valid JSON before you eval it!
          However, the combination of a certain type of attack called Cross Site
          Request Forgery (CSRF) and JSON is particularly unfortunate. If you
          can stop CSRF (and XSS) in your web application there should be no
          problems using JSON. The "magic cookies" you heard about are probably
          about stopping CSRF, and as such have nothing to do with JSON.

          However, if you are not sure that you can stop CSRF attacks, then you
          might have slightly more security by using (say) XML instead of JSON
          as the data exchange format, as this removes a few JSON specific
          attacks (though XML alone with no CSRF protection isn't secure either,
          in general). The most important question to answer first is: Is the
          data being exchanged "public" or "sensitive" ? In case it is public,
          you probably don't have to worry about the data-exchange format too
          much.

          Regards,
          - Karl

            Comment

            Previous template Next
            Working...