Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Javascript > JSON and Security

Reply
Thread Tools

JSON and Security

 
 
vunet
Guest
Posts: n/a
 
      02-14-2008
When implementing JSON as a form of data exchange between server and
client, what security measures do I need to consider? For example, I
have XMLHttpRequest returning JSON text from the server and eval()
converts string to the JavaScript object. I heard about problems with
"eval" and idea of using "magic cookies" to avoid attacks. Anyway,
what should I consider?
Thanks.
 
Reply With Quote
 
 
 
 
Stevo
Guest
Posts: n/a
 
      02-14-2008
vunet wrote:
> When implementing JSON as a form of data exchange between server and
> client, what security measures do I need to consider? For example, I
> have XMLHttpRequest returning JSON text from the server and eval()
> converts string to the JavaScript object. I heard about problems with
> "eval" and idea of using "magic cookies" to avoid attacks. Anyway,
> what should I consider?
> Thanks.


Quite a few topics on it here:

http://www.google.com/search?q=json+security+eval
 
Reply With Quote
 
 
 
 
Krukow
Guest
Posts: n/a
 
      02-14-2008
On 14 Feb., 21:04, Stevo <(E-Mail Removed)> wrote:
> vunet wrote:
> > When implementing JSON as a form of data exchange between server and
> > client, what security measures do I need to consider? For example, I
> > have XMLHttpRequest returning JSON text from the server and eval()
> > converts string to the JavaScript object. I heard about problems with
> > "eval" and idea of using "magic cookies" to avoid attacks. Anyway,
> > what should I consider?



This blog post (including the referenced paper) and the following
discussions are quite useful:

http://www.schneier.com/blog/archive...pt_hija_1.html

The above (including links) is where to go, but my understanding is
the following:

Basically, there isn't anything insecure about JSON by itself; just
make sure you check that it is actually valid JSON before you eval it!
However, the combination of a certain type of attack called Cross Site
Request Forgery (CSRF) and JSON is particularly unfortunate. If you
can stop CSRF (and XSS) in your web application there should be no
problems using JSON. The "magic cookies" you heard about are probably
about stopping CSRF, and as such have nothing to do with JSON.

However, if you are not sure that you can stop CSRF attacks, then you
might have slightly more security by using (say) XML instead of JSON
as the data exchange format, as this removes a few JSON specific
attacks (though XML alone with no CSRF protection isn't secure either,
in general). The most important question to answer first is: Is the
data being exchanged "public" or "sensitive"? In case it is public,
you probably don't have to worry about the data-exchange format too
much.

Regards,
- Karl
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Lib to generate XML/JSON[P] output from a DTD/XSD/JSON Schema/etc Acácio Centeno Python 1 02-15-2013 07:34 AM
I am facing an issue while decoding json string using json.loads sajuptpm Python 2 12-28-2012 07:16 AM
[ANN] Security Fix json-1.1.7 for json_pure and json gems Florian Frank Ruby 0 06-30-2009 05:18 PM
"JSON for ASP" at json.org Tuğrul Topuz ASP General 1 06-27-2008 11:37 PM
IT-Security, Security, e-security COMSOLIT Messmer Computer Support 0 09-05-2003 08:34 AM



Advertisments