JSON and Security

V

vunet

When implementing JSON as a form of data exchange between server and
client, what security measures do I need to consider? For example, I
have XMLHttpRequest returning JSON text from the server and eval()
converts string to the JavaScript object. I heard about problems with
"eval" and idea of using "magic cookies" to avoid attacks. Anyway,
what should I consider?
Thanks.
 
S

Stevo

vunet said:
When implementing JSON as a form of data exchange between server and
client, what security measures do I need to consider? For example, I
have XMLHttpRequest returning JSON text from the server and eval()
converts string to the JavaScript object. I heard about problems with
"eval" and idea of using "magic cookies" to avoid attacks. Anyway,
what should I consider?
Thanks.
Click to expand...

Quite a few topics on it here:

http://www.google.com/search?q=json+security+eval
 
K

Krukow

This blog post (including the referenced paper) and the following
discussions are quite useful:

http://www.schneier.com/blog/archives/2007/04/javascript_hija_1.html

The above (including links) is where to go, but my understanding is
the following:

Basically, there isn't anything insecure about JSON by itself; just
make sure you check that it is actually valid JSON before you eval it!
However, the combination of a certain type of attack called Cross Site
Request Forgery (CSRF) and JSON is particularly unfortunate. If you
can stop CSRF (and XSS) in your web application there should be no
problems using JSON. The "magic cookies" you heard about are probably
about stopping CSRF, and as such have nothing to do with JSON.

However, if you are not sure that you can stop CSRF attacks, then you
might have slightly more security by using (say) XML instead of JSON
as the data exchange format, as this removes a few JSON specific
attacks (though XML alone with no CSRF protection isn't secure either,
in general). The most important question to answer first is: Is the
data being exchanged "public" or "sensitive"? In case it is public,
you probably don't have to worry about the data-exchange format too
much.

Regards,
- Karl
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Issue with passing fetched data to POST form. How can I? 0
Using AJAX/JSON and performance issues with eval() 1
slightly more powerful JSON 1
JSON encoding problem ":" " ' " 1
JavaScript and JSON 5
Iteration through a json object 5
Desrializing json arrays in ASP.NET 0
New to JSON 3

Members online

Total: 24 (members: 1, guests: 23)
Robots: 626

Forum statistics

Threads
473,769
Messages
2,569,581
Members
45,057
Latest member
KetoBeezACVGummies

Latest Threads

Top