Hackers of India

JSON Fuzzing: New approach to old problems

By  K v Prashant   Tamaghna Basu  on 25 Feb 2011 @ Nullcon

Abstract

JSON (an acronym for JavaScript Object Notation) is a lightweight text-based open standard designed for human-readable data interchange. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition – December 1999. It is derived from the JavaScript programming language for representing simple data structures and associative arrays, called objects. It is a text format that is completely language independent but uses conventions that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. These properties make JSON an ideal data-interchange language with parsers available for virtually every programming language.

As we know, Ajax is a web development technology that makes the server responses faster by enabling the client-side scripts to retrieve only the required data from the server without retrieving a complete web page on each request, which will minimize the data transferred from the server.

These requests usually retrieve xml formatted response, the xml responses are then parsed in the JavaScript code to render the results. Which complicate the JavaScript code. The idea of JSON (JavaScript Object Notation) is to make the response a specific data structure that can be easily parsed by the JavaScript code. The JSON format is often used for serializing and transmitting structured data over a network connection. It is primarily used to transmit data between a server and web application, serving as an alternative to XML.

Advantages:

  1. lightweight data-interchange format
  2. Easy for humans to read and write
  3. Easy for machines to parse and generate
  4. JSON can be parsed trivially using the eval() procedure in JavaScript
  5. JSON Supports: ActionScript, C, C#, ColdFusion, E, Java, JavaScript, ML, Objective CAML, Perl, PHP, Python, Rebol, Ruby, and Lua.

Companies like Google and yahoo extensively using JSON for web application data exchange. Over the years researchers have found various security issues with JSON technology and its usage. This paper tries to demonstrates various security issues, corresponding to flaws in usage and remediation. Vulnerabilities like JSON hijacking and JSON Injection will be demonstrated and we will show case how to perform penetration testing for JSON based applications. Traditionally penetration testing tools like Tamperdata, Paros, Webscarab and even Appscan do not support testing of JSON based applications. These tools can only help testers to manipulate name/value pairs. so along with presenting this paper we plan to add JSON support to one of the opensource tool like Tamperdata and add fuzzing capabilities for JSON.