Questions tagged [json]

JSON (JavaScript Object Notation) is an open standard for encoding data in both human-readable and machine-readable form, usually for transmission to or from a web API. Use this tag for security issues relating to the format itself, or where the fact that the data is json-formatted is core to the question. For questions about web APIs where the security issue does not depend on the data format, please use [api]

JSON (JavaScript Object Notation) is an open standard for encoding data in both human-readable and machine-readable form, usually for transmission to or from a web API.

Use this tag for security issues relating to the format itself, or where the fact that the data is json-formatted is core to the question. For questions about web APIs where the security issue does not depend on the data format, please use api

Links:

JSON project homepage
JSON is specified in RFC 7159

122 questions

votes

6 answers

Why would I ever use AES-256-CBC if AES-256-GCM is more secure?

I guess the gist of my question is: Are there cases in which CBC is better than GCM? The reason I'm asking is that from reading this post by Matthew Green, and this question on cryptography stack exchange, and this explanation of an attack on XML…

encryption aes file-encryption json xml

asked Apr 22 '18 at 14:47

The Quantum Physicist

votes

3 answers

How should web app developers defend against JSON hijacking?

What is the best defense against JSON hijacking? Can anyone enumerate the standard defenses, and explain their strengths and weaknesses? Here are some defenses that I've seen suggested: If the JSON response contains any confidential/non-public…

appsec web-application json

asked Sep 09 '11 at 03:09

D.W.

98,420
30
267
572

votes

4 answers

Can I prevent a replay attack of my signed JWTs?

I have implemented a stateless auth over HTTP in Laravel, using JWTs. I send my username/password from the frontend. Server authenticates user, sends back a signed JWT with an expiry time. I'm using the HS512 algorithm to sign with a private key…

http rest jwt json

asked Aug 02 '14 at 16:13

Aditya M P

votes

3 answers

How does JTI prevent a JWT from being replayed?

According to the JWT RFC a JWT can optionally have a JTI which I interpret to be a unique ID for a JWT. It seems like a UUID is a good value for a JTI. The RFC claims that the JTI can be used to prevent the JWT from being replayed. Two…

oauth token json jwt replay-detection

asked May 30 '16 at 18:34

ams

votes

2 answers

CSRF with JSON POST

I am playing around with a test application which accepts JSON requests and response is also JSON. I am trying to do a CSRF for a transaction which accepts only JSON data with POST method in request. Application throws an error if URL is requested…

http csrf json

asked Dec 30 '11 at 09:39

Sachin Kumar

votes

1 answer

JSON Web Tokens - How to securely store the key?

I was building a RESTful Web Service when I came across JSON Web Tokens as an alternative to traditional cookies for authentication. The conceptual core of this method is that the server is the only agent that knows the secret key used to digest…

key-management key-generation rest integrity json

asked Apr 29 '15 at 12:56

NMO

votes

2 answers

Important data can be modified from the developer console. What should I do?

Scenario: I have a to-do list that is generated with JavaScript using JSON that was encoded on the server side. I put the todo item id in the HTML id attribute. So the process goes like this: Server side code creates a todo array. Serialize array…

web-application php javascript html json

asked Dec 14 '17 at 12:21

user3079341

votes

3 answers

Security risks with JSONP?

What are the security risks with JSONP? Is using JSONP in a new web application reasonable, from a security perspective, or is it better to use a different method for cross-origin web mashups? If using JSONP is reasonable, what steps should I take…

web-application ajax json jsonp

asked Oct 31 '12 at 16:39

D.W.

98,420
30
267
572

votes

4 answers

What is the difference between JWT and encrypting some json manually with AES?

What is the difference between using a JSON Web Token (JWT) and simply having an AES key and sending and receiving encrypted JSON from the client? For example, this could be sent to the client: AES256.encrypt(JSON.stringify({id: 5552, admin:…

aes jwt json

asked Feb 21 '18 at 09:09

FLUSHER

votes

1 answer

How does a CSRF token prevent an attack, and how can I safely use/avoid it for my JSON API?

I'm trying to make an iOS app communicate with a Ruby on Rails website using JSON. While trying to post a login to create a user session, I discovered I was missing a CSRF token. I had no idea what that is at all, so I started looking into it, and…

web-application authentication csrf json

asked Dec 22 '12 at 21:43

Dan2552

votes

5 answers

Compromised JSON Web Token (JWT) Bearer Token

We are implementing a REST service that requires authentication and authorization. Because of the stateless nature of REST API's, we want to use JWT to make authenticated calls to the API through a token, without the need to hit a database for each…

authentication oauth rest json

asked Jul 30 '14 at 23:36

BausNauf

votes

1 answer

How does including a magic prefix to a JSON response work to prevent XSSI attacks?

While working on a project that used the REST API for Gerrit Code Review I noticed that they do something that I thought was strange Source: To prevent against Cross Site Script Inclusion (XSSI) attacks, the JSON response body starts with a magic…

api json xssi

asked Jan 13 '16 at 20:57

ecnepsnai

votes

3 answers

Securing a multi-tenant, multi-database REST API

I am looking to improve the security of an existing REST API accessed over SSL. The web service is multi-tenant, such that each tenant has an assigned TenantId. The problem I facing can be summarized as: How can I determine the tenant? How can I…

oauth rest hmac json

asked Jan 23 '15 at 14:27

Rebecca

votes

1 answer

Why JSON Hijacking attack doesn't work in modern browsers? How was it fixed?

I understand JSON Hijacking vulnerabilities have been fixed in all modern browsers, but how exactly? There are many articles that talk about techniques to prevent JSON Hijacking attacks (i.e. prepending while(1); like Google does), but no one has…

json web

asked Apr 02 '17 at 16:23

fbid

votes

3 answers

CSRF with JSON POST when Content-Type must be application/json

I am testing web application for which business actions are done by sending JSON requests like for example: POST /dataRequest HTTP/1.1 Host: test.com User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept:…

web-application csrf json

asked Oct 01 '17 at 16:53

user187205

1,163
3
15
24

2 3

…

8 9 Next