473,888 Members | 1,447 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

JSON and Security

When implementing JSON as a form of data exchange between server and
client, what security measures do I need to consider? For example, I
have XMLHttpRequest returning JSON text from the server and eval()
converts string to the JavaScript object. I heard about problems with
"eval" and idea of using "magic cookies" to avoid attacks. Anyway,
what should I consider?
Thanks.
Feb 14 '08 #1
2 2026
vunet wrote:
When implementing JSON as a form of data exchange between server and
client, what security measures do I need to consider? For example, I
have XMLHttpRequest returning JSON text from the server and eval()
converts string to the JavaScript object. I heard about problems with
"eval" and idea of using "magic cookies" to avoid attacks. Anyway,
what should I consider?
Thanks.
Quite a few topics on it here:

http://www.google.com/search?q=json+security+eval
Feb 14 '08 #2
On 14 Feb., 21:04, Stevo <ple...@spam-me.comwrote:
vunet wrote:
When implementing JSON as a form of data exchange between server and
client, what security measures do I need to consider? For example, I
have XMLHttpRequest returning JSON text from the server and eval()
converts string to the JavaScript object. I heard about problems with
"eval" and idea of using "magic cookies" to avoid attacks. Anyway,
what should I consider?

This blog post (including the referenced paper) and the following
discussions are quite useful:

http://www.schneier.com/blog/archive...pt_hija_1.html

The above (including links) is where to go, but my understanding is
the following:

Basically, there isn't anything insecure about JSON by itself; just
make sure you check that it is actually valid JSON before you eval it!
However, the combination of a certain type of attack called Cross Site
Request Forgery (CSRF) and JSON is particularly unfortunate. If you
can stop CSRF (and XSS) in your web application there should be no
problems using JSON. The "magic cookies" you heard about are probably
about stopping CSRF, and as such have nothing to do with JSON.

However, if you are not sure that you can stop CSRF attacks, then you
might have slightly more security by using (say) XML instead of JSON
as the data exchange format, as this removes a few JSON specific
attacks (though XML alone with no CSRF protection isn't secure either,
in general). The most important question to answer first is: Is the
data being exchanged "public" or "sensitive" ? In case it is public,
you probably don't have to worry about the data-exchange format too
much.

Regards,
- Karl
Feb 14 '08 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

16
2709
by: G Matthew J | last post by:
http://htmatters.net/htm/1/2005/07/evaling-JSON.cfm This is more or less in response to Mr Crockford's admonition a few months ago, "fork if you must". Ironically, although in that usenet post he calls what I am suggesting "brittle", his own Javascript JSON parser is not valid JSON, but rather conforms to my proposed variation on JSON!! With an identifier prepended to the front of the JSON block, and function literals as values: see...
20
6898
by: Luke Matuszewski | last post by:
Welcome As suggested i looked into JSON project and was amazed but... What about cyclical data structures - anybody was faced it in some project ? Is there any satisactional recomendation... PS i am ready to use JSON as data/object interchange when using AJAX and my J2EE project - because it is easier to traverse the JavaScript object than its XML representation (so of course may argue).
54
8348
by: VK | last post by:
Mission statement: A mechanics to get text stream into browser from any Web location without reloading the current page. 1) This mechanics has to support *at the very least* IE 5.5 and higher and Firefox 1.5 and higher: but it may be completely different from one browser to another. It is important only to be able to build an uniformed interface atop of it.
13
12422
by: trpost | last post by:
I am looking to make a small web app that will return the status of a website from the client browser. I tried this with AJAX and it worked great locally, but did not work for remote users accessing the page, I ran into the security problem with making a cross domain request. I have been reading that with JSON a cross domain request can be accomplished, but have not been able to find any examples on how to use it or how to get the return...
4
4068
by: VK | last post by:
Google Trends is an all new service (started May 10) and I have not responsability for proper query or data accuracy. Overall seems pretty close to what could be observed by the post history in c.l.j. Just curious why exactly Japan got so exclusively hot on JSON ? <http://www.google.com/trends?q=AJAX+JavaScript&ctab=0&geo=all&date=all> <http://www.google.com/trends?q=JSON+JavaScript&ctab=0&geo=all&date=all>
10
3006
by: Frank Millman | last post by:
Hi all I am writing a multi-user accounting/business application, which uses sockets to communicate between server and client. The server contains all the business logic. It has no direct knowledge of the client. I have devised a simple message format to exchange information between the two. At first, I used XML as a message format. Then I read the article that recommended not using XML for Python-to-Python, so I changed it to a
1
1438
by: jon cashman | last post by:
Hi everyone, Is there a doc comparing different json implementation (example: python-json, simplejson)? Does anyone have a strong recommendation to make? Any problem/issue for a particular implementation? Thanks. - jon
3
2311
by: xhe | last post by:
I found Jason is a very handy data format for client/server communication. But I just met a problem as follows: I want to read the data replied from server in Jason format, the reply is like this: it is generated automatically by amfphp1.9 from an array. I used Ajax to call a method, and the server code replied an array in the above
1
1917
by: Jeff | last post by:
I'm writing my first json/ajax code and I'm having a hard time wrapping my mind around security issues. I'm thinking of a json response that would look like this: {"data":} ,{"name":"name2","street":"street2"} ], "instructions":{"function_to_execute":"some_function"} }
0
9800
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
10778
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
10886
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
10439
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
9597
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
0
7148
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
5819
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
1
4642
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
3
3252
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.