![]() HJSON : HJSON is similar to JSON5 in spirit with different design choices.JSON5 : This superset specification augments the official specification by explicitly adding convenience features (e.g., comments, alternative quotes, quoteless strings, trailing commas).However, non-spec conveniences provided by the JavaScript interpreter, such as quoteless strings and comments, have inspired many parsers. ECMAScript Standard : Changes to JSON are released in lockstep with RFC releases, and the standard refers to the RFC for guidance on JSON.IETF JSON RFC (8259 and prior): This is the official Internet Engineering Task Force (IETF) specification.One contributing factor to inconsistencies among parsers is the differing specifications: ![]() Although this guidance is followed by disclaimers about interoperability, most users of JSON parsers aren't aware of these caveats. Even within the official JSON RFC, there is open-ended guidance on a few topics, such as how to handle duplicate keys and represent numbers. However, JSON parsers have a couple additional challenges. WHY ARE THERE PARSING INCONSISTENCIES? Official and Alternative SpecsĮven in the best-case implementation, there are inevitably minor, unintentional deviations from specifications. Through our payment processing and user management examples, we will explore how JSON parsing inconsistencies can mask serious business logic vulnerabilities in otherwise benign code. In this research, I conducted a survey of 49 JSON parsers, cataloged their quirks, and present a variety of attack scenarios and Docker Compose labs to highlight their risks. However, in our modern, multi-language, microservice architectures, our applications often rely on several separate JSON parsing implementations, each of which has its own quirks.Īs we've seen through attacks like HTTP request smuggling, discrepancies across parsers combined with multi-stage request processing can introduce serious vulnerabilities. We don't usually consider JSON parsing as part of our threat model. The simplicity of JSON is often taken for granted. JSON is the backbone of web application communications. INTRODUCTION: MORE PARSERS, MORE PROBLEMS ![]() If you prefer a hands-on approach, try the labs and when they scare you, come back and read on. TL DR The same JSON document can be parsed with different values across microservices, leading to a variety of potential security risks.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |