Skip to content

Safe JSON

Update: March 5th 2007:  Important change to the recommendation for Safe JSON detailed below.  It is not as safe as people think, but it can still be made to be safe.

We have been investigating the security implications of having a JSON api in Connections. It turns out that it is very easy to leave pretty big security exposures in an application if it isn’t done right.  The security exposure in this case is rogue sites being able to get at data made available via a JSON api.  The truly frightening part of this is that applications installed on a corporate intranet can actually leak data to internet sites should a user visit a rogue site. BTW, these exposures apply equally to both formally published api’s such as Yahoo’s and also any internal JSON api’s often used for AJAX tricks.

As far as I can make out there are 3 different approaches used with JSON api’s. Before detailing the vulnerabilities I’ll highlight the three approaches using the Yahoo examples (you might want to familiarize yourself with the examples before reading any further). The three approaches are :

Approach 1 – Plain JSON

Simply return JSON i.e.

{
  "Image": {
    "Width":800,
    "Height":600,
    "Title":"View from 15th Floor",
    "Thumbnail":
    {
      "Url":"http:\/\/scd.mm-b1.yimg.com\/image\/481989943",
      "Height": 125,
      "Width": "100"
    },
  "IDs":[ 116, 943, 234, 38793 ]
  }
}

Approach 2 – var assignment

Assign the JSON object to some variable that can then be accessed by the embedding application (not an approach used by Yahoo).

var result = {
  "Image": {
    "Width":800,
    "Height":600,
    "Title":"View from 15th Floor",
    "Thumbnail":
    {
      "Url":"http:\/\/scd.mm-b1.yimg.com\/image\/481989943",
      "Height": 125,
      "Width": "100"
    },
  "IDs":[ 116, 943, 234, 38793 ]
  }
}

Approach 3 – function callback

When calling the JSON Web Service pass as a parameter a callback function.  The resulting JSON response passes the JSON object as a parameter to this callback function.

callbackFunction( {
  "Image": {
    "Width":800,
    "Height":600,
    "Title":"View from 15th Floor",
    "Thumbnail":
    {
      "Url":"http:\/\/scd.mm-b1.yimg.com\/image\/481989943",
      "Height": 125,
      "Width": "100"
    },
  "IDs":[ 116, 943, 234, 38793 ]
  }
})

All approaches can be used via an XMLHttpRequest followed by a javascript eval, but as Yahoo points out Approaches 2 & 3 unlike Approach 1 don’t "run afoul of browser security restrictions that prevent files from being loaded across domains." as…

"Using JSON and callbacks, you can place the Yahoo! Web Service request inside a <script> tag, and operate on the results with a function elsewhere in the JavaScript code on the page. Using this mechanism, the JSON output from the Yahoo! Web Services request is loaded when the enclosing web page is loaded. No proxy or server trickery is required."

Indeed they have successfully navigated the browser security restrictions, which I should point out is probably fine for Yahoo as ALL their services only expose publically available data.  However, if a developer coding up an application that contains private data uses the same approach (i.e. Approach 2 or 3) then they have exposed the application to a pretty simple attack.  BTW, I’m defining private data to be any data that should not be publically accessible to the entire world (this probably covers most data on a corporate intranet but also includes any data that requires authenticatation prior to access). Here’s an example.

A user logs into a wiki on the corporate intranet.  This wiki provides a JSON api with a callback function (Approach 3).  The user then visits a rogue site on the internet.  The page from the rogue site, when rendered in the user’s browser, performs a javascript include to the wiki’s json api passing a callback function. This results in data from the wiki being made available to the rogue site’s javascript function in the page via the callback. Further javascript, on the page, can then form POST the data back to the rogue site and as such the data can be stolen. Not good.

Approach 1, on the other hand, does not contain this vulnerability as it can’t be used via a javascript include.  If attempted it does not make the any data available on the page as it is not valid javascript, indeed it, instead, results in a javascript error and so is safe for JSON api’s that contain private data.

Recommendation

I’m going to tentatively propose the following recommendation and would welcome feedback.

When developing a JSON api that contains data that should not be publically accessible to the world use Approach 1 i.e. return plain JSON.  Update: The JSON returned MUST be of type "Serialized Object" and not of type "Array" (as defined by the JSON spec).  (See the March 5th update below for the rationale behind this change).  If the data can be publically exposed then Approaches 2 & 3 have significant advantages in terms of consumability.

Update: March 5th 2007

Joe has pointed out that care still needs to be taken even when using a plain JSON return (Approach 1). From my testing and as others have pointed out the vulnerability that Joe is referring to only applies when returning JSON of type "array" (section 2.3 of  the JSON standard). However, it appears that if you return JSON of type "serialized object" (section 2.2) then, at the moment, I know of no vulnerability.  It’s worth mentioning that arrays can still be present in the JSON as long as they are not at the top level. The example in Approach 1 above is not vulnerable to attack even though it contains an embedded array.  The following structure is vulnerable though

[["ct","Your Name","foo@gmail.com"], ["ct","Another Name","bar@gmail.com"] ]

as google knows only too well

Anyway, I have updated my recommendation.  It remains tentative.

{ 28 } Comments

  1. Birthday | October 3, 2014 at 8:14 pm | Permalink

    Hey! I’m at work surfing around your blog from my new apple iphone!

    Just wanted to say I love reading your blog and look forward to all your posts!
    Carry on the outstanding work!

  2. Edgestar portable | October 4, 2014 at 5:26 pm | Permalink

    My partner and I stumbled over here different web address
    and thought I might check things out. I like what I see so now i am following you.
    Look forward to finding out about your web page yet again.

  3. security cameras | October 5, 2014 at 7:32 pm | Permalink

    Any information that is recorded on your security cameras is kept
    and stored on a database.

  4. Youtube.Com | October 7, 2014 at 11:39 am | Permalink

    Unquestionably believe that which you said. Your favorite justification appeared to be on the web the easiest thing
    to be aware of. I say to you, I certainly get irked while people consider
    worries that they plainly do not know about. You managed to
    hit the nail upon the top and defined out the whole thing
    without having side effect , people can tak a signal. Will probably be back to get more.
    Thanks

  5. Http:// | October 8, 2014 at 2:40 pm | Permalink

    Nice post. I learn something new and challenging on websites I stumbleupon everyday.
    It’s always useful to read articles from other writers and practice a little something from their web sites.

  6. dating advice | October 13, 2014 at 5:45 pm | Permalink

    I do trust all thee concepts you’ve presented to
    your post. They are really convincing and will
    definitely work. Still, the posts are too brief for starters.
    May you please ledngthen them a bit from next time? Thanks
    for thhe post.

  7. big biker dick | October 18, 2014 at 11:41 pm | Permalink

    These techniques can be costly to set up, but it is sometimes essential to go
    the extra mile in exposing the truth. He also tells Annie
    that Theo has been working undercover within ALC, the same terrorist group that suspected of carrying out the attack.
    Your marriage is most likely over when your spouse
    has made complete lists of assets and debts with your
    both of your names on them.

  8. Wholesale replica sports jerseys for cheap from china

  9. Seymour | December 10, 2014 at 11:30 am | Permalink

    Hypnotherapy is not a crutch and may not be the whole
    answer to a problem, but it is a tool to help
    people understand themselves. Factors like lifestyle and
    certain personality traits also contribute to trauma.
    As the months went by I began to think this was a waste.

  10. call of duty , | December 13, 2014 at 3:42 pm | Permalink

    Advanced Warfare attributes a variety of diverse multiplayer guns, ranging from
    uncomplicated assault guns to strong plasma-rifles, and this can bbe custom made
    together with various accessories. The actual video
    games Choose 13 program works such as inside Black Ops II byy pproviding an inividual the particular overall flexibility involving picking out the partijcular weapons, emotions and
    also products that you want.

    You’ll be able to pick just one key along with supplementary tool for you loadout – tthe key may be fitted having 2 emotions and also the
    secondary along with a single. You’ll bbe able to discoger one exta
    addition video slot forr both weaponry by using thee “Gunfighter”
    Wildcards.

    The tools inside the video game are already replacced wth the wrist-mounted “Exo Launcher” which cann
    be full of deadly annd also tactical projectiles.

    Understand that choosing the idwal wepon school for the map and online game method
    can be thhe key adjustable as soon as creatng your loadout.
    Use SMGs aand also shotguns in near quarters beat,
    heavy guns as well as sniper guns with lengthy range, and cuustom mzde ARs with close-medium in order to medium-long.
    As soon as deciding on a firearm, glance at the “totality” of the usb ports,not merely it is damage as ell as pace associated with fire :
    features and also quantities tend not to tell the complete history.

    That received tutanfall inside my Call of Duty?

    Among the first awesome stuffs that alll of us observed relating to this year’s Call of
    Dutyy activity was your exo accommodate! The exo suit is going to make the
    gift filler even more awful bum than you visualize. It will give you boosted
    skills in addition to helpp make ones character style of engage in just a little tad ssuch as the jockey’s within titanfall.
    What i am talking about this is actually the way your identtity
    will be morre robust and be abpe too perform insan jumps.
    This specific improved upoln athleticism has to be massive cause to crete you need to acquire Call of Duty this year.

    Not only spider-man may rise walls!

    As a result of a number of fantastic shopping basevall gloves
    in which spidey themself could well be jealous involving! You can now
    go up upward wall space as well as take advantage of some increased advantages items to discover the lower with your enemy.

    This specific brand-new power to rise offers recommended that the developers hzve widened the atlases
    too get more top to bottom in addition tto
    make far more locations where men and women can cerainly fight it out earlier
    mentioned this streets!

    Is usually that a geentleman or possibly a mech?

    We have witokut a doubt created an evaluation together
    with titanfall, yet that once more i would like to claim
    seriously isn’t a bad issue for individuals who wish to get Call of Duty!
    When the exo suit previously failed to seem poor ass sufficient to suit your needs and you are generally thinkking in the event
    that there was clearly methods to kitchen counter this particular.
    Next how about your own gentleman having
    within a mech go wwell with. This specific mech match loooks amazing and while nnot as substantial for the reason that people inside titanfall they will complete kind of look like those from your mary luxury
    cruise film, border of next week.

    Don’t look everything you can’t get rid of
    Fine i know that will having the ability to help make
    your current knight, knight as well as whichever get undetectable
    might not exahtly appear to be a lrage benefit and help
    make you intend to move along with get Call of Duty time a single, yet
    this can be the new that actually the particular function hass been in the Call of Duty video game.
    Thhe line is actually considerably plenty of down thhe road it is credible of which right now there could be invisibility accommodates right at thnat moment the overall game had been fixed.
    Using mot of these will likely be just a lot of enjoyment and
    also give a frresh measurement for yyou to how we start fight.

  11. exodus gods and | January 5, 2015 at 12:14 pm | Permalink

    Cette bande originale se tient sans l’aide de
    son film et vous rappelera que la musique seule peut aussi provoquer des émotions.

  12. Kim Kardashian | January 13, 2015 at 8:30 am | Permalink

    January 2011: Odom begins filming the reality show ‘Khloe and Lamar’ on E.
    So what empathy should I, or the rest of us have for any
    of the celebrities whose information was leaked. I thought that moving from a $250,000 house
    to a $350,000 house was excessive for my ex brother-in-law who stopped paying child support for his two kids
    about six months ago.

  13. National Home Buyers | January 14, 2015 at 7:17 am | Permalink

    It’s an amazing paragraph in support of all the web people;
    they will get benefit from it I am sure.

  14. www.zagrebwest.hr | January 15, 2015 at 2:59 pm | Permalink

    Durarara 2 ep2 english

  15. modern sniper | January 16, 2015 at 11:20 pm | Permalink

    On the plus side, this acts as a make-shift martyrdom and may net you
    kills if you fail. Unless you’re doing extremely well, stick with Predator and Harrier, low streaks since you’ll be behind enemy lines so often that
    you might not make it beyond a seven streak. Airdrop Inbound I, II, and III – Call in 50, 100, and 1,000 Care Packages, Sentry Guns, or Emergency Airdrops.

  16. Fifa 14 Hack PS4 | February 8, 2015 at 4:05 am | Permalink

    If anything, using one proves that you are actually
    an unskilled player. On Sunday, Pleiades faced some greater challenges, winning a hard-fought game against Florida 7-2.
    People love breaking the rules, and hackers have been around since the dawn of videogames.
    There still has been no statment by the hacking group Anonymouse on todays news of a settlement.

  17. podpięcia do firan | February 14, 2015 at 3:04 am | Permalink

    Usually I don’t learn article on blogs, but I would like to say that this write-up very forced me to try and do it!
    Your writing style has been surprised me. Thanks, quite great post.

  18. This Hostgator | February 17, 2015 at 10:28 pm | Permalink

    Yes! Finally something about s.

  19. www.slideshare.net | February 20, 2015 at 9:36 pm | Permalink

    Howdy I am so delighted I founhd your blog, I really found you by mistake, while I
    was researching on Yahoo for something else, Nonetheless I aam here now and
    would just like to say thanks for a fantastic post and a all
    round interesting blog (I also lov the theme/design), I don’t
    have time to look over it all at the moment but I have
    bookmarked iit and also included your RSS feeds, so when I have time I will be back
    to read a great deal more, Please do keep uup the awesome work.

  20. darknet market agora | October 18, 2015 at 11:15 pm | Permalink

    Nonetheless, everyday Agora is down a growing number of customers as well as vendors are making
    the change.

  21. Kandi | November 9, 2015 at 11:04 pm | Permalink

    Las carnes blancas provienen de aves como pollo, pavo, codorniz, también del cerdo y una
    amplia variedad de pescados.

  22. Enriquenox | March 14, 2016 at 8:16 am | Permalink

    Some 350 global students at a clandestinely London business college hold been told they be obliged pull up stakes the UK via the consequence of next month.
    London Seminary of Role and Investment capital (Creative writing short courses online) has had its leave to recruit and instruct in non-EU students revoked, the Habitation Organization has confirmed.
    Undivided swot said he feared he would be unable to unreduced his £8,500 course.
    The college said it would augment teaching to effect all students gained their qualifications in time.

  23. Kianninox | March 20, 2016 at 9:36 am | Permalink

    Black workers make much less than similarly fit white workers, at all levels of edification, scrutiny suggests.
    Assay of Best business plan writers uk by the Trades Association Congress (TUC) suggests that the difference in common bestow rates amounts to a division of 23%
    Hellish graduates receive on normal £14.33 an hour, compared with £18.63 earned by drained graduates, the TUC says.
    The customary pay gap between dark and pallid workers with A-levels is 14%.
    And at GCSE draw a bead the hole is 11%, the TUC says.
    The TUC’s non-specific secretary Frances O’Grady said: “Get a move on still plays a mountainous function in determining pay.
    “The grating reality is that at any level of edification, sooty and Asian workers are getting paid less than their bloodless counterparts.
    “The oversight cannot afford to ignore these figures and must now nick candid functioning to block and tackle profit discrimination.”

  24. azaBiora | April 1, 2016 at 5:34 am | Permalink

    http://google.com

  25. stuclover | April 10, 2016 at 4:50 am | Permalink

    В компании Вы можете выбрать контрольную, курсовую или дипломную работу и без усилий довести обучение до результата. Не стоит сомневаться в нашей порядочности. Мы исключаем такие факторы, как повтор работ в интернете, скачивание курсовых из онлайн-библиотек и подделывание авторства. Курсовая, контрольная или дипломная выполняется на заказ опытными преподавателями, аспирантами ВУЗов, специалистами-практиками и студентами-отличниками старших курсов. http://expgr.ru

  26. Media2016 | April 10, 2016 at 10:38 pm | Permalink

    Happily ever after.

  27. www.Gpugrid.net | May 3, 2016 at 2:10 pm | Permalink

    Magnificent web site. A lot of useful information here. I am sending it to several buddies ans
    also sharing in delicious. And obviously, thanks for your sweat!

  28. Sterling | May 3, 2016 at 9:35 pm | Permalink

    I don’t even understand how I ended up here, but I
    assumed this put up used to be good. I don’t know who you’re however definitely you’re going to a famous blogger
    for those who aren’t already. Cheers!

Post a Comment

Your email is never published nor shared. Required fields are marked *