IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [json]

JSON (JavaScript Object Notation) is an open standard for encoding data in both human-readable and machine-readable form, usually for transmission to or from a web API. Use this tag for security issues relating to the format itself, or where the fact that the data is json-formatted is core to the question. For questions about web APIs where the security issue does not depend on the data format, please use [api]

JSON (JavaScript Object Notation) is an open standard for encoding data in both human-readable and machine-readable form, usually for transmission to or from a web API.

Use this tag for security issues relating to the format itself, or where the fact that the data is json-formatted is core to the question. For questions about web APIs where the security issue does not depend on the data format, please use

Links:

122 questions
12
votes
2 answers

XSS via JSON: Why does a web application not sanitize either its incoming params hash or its outgoing JSON values of malicious tags like Script?

Recently working on a Rails-based web application for a company, I had to look into XSS vulnerability. It turns out that the application, in some places, could take an HTML tag (e.g., directly as a parameter in GET or…
rcd
  • 343
  • 1
  • 3
  • 7
11
votes
4 answers

JSON API response flagged as XSS by vulnerability scanner. Is this a false positive?

When a user attempts to access any URL without authentication (including a non-existent URL), my web service returns an HTTP 401 response. This response is JSON encoded, and the body of this response contains the path requested by the user,…
Josh P
  • 213
  • 2
  • 7
10
votes
1 answer

Randomly generated token vs JSON web token

I'm trying to secure access to my web server. I have been implementing a JSON web token authentication where I randomly generate a secretkey and associate it with that user. The secretkey will then be used to encode the JSON web token. Then the user…
Big yellow duck
  • 101
  • 1
  • 3
10
votes
3 answers

Symmetric or asymmetric encryption for JSON Web Token?

We're planning on using JSON Web Tokens (JWT) for our authentication server, and I am currently evaluating which encryption approach to take for the JWE token. There appear to be two options for managing the symmetric encryption…
Greg Beech
  • 200
  • 1
  • 1
  • 5
10
votes
3 answers

How can I prevent reflected XSS in my JSON web services?

I have a web service that takes POST data (JSON) and returns part of the request object in the JSON response. This is open to XSS if the response is rendered as HTML by the browser since someone could add arbitrary HTML to the request object. What…
Flash
  • 201
  • 1
  • 2
  • 4
9
votes
1 answer

Designing single-sign-on with JSONP/CORS?

I like the way that OAuth/OpenID can authenticate/identify a user from another domain, but only if the other domain allows it (presumably on the user's instructions). I would like to do something similar, but using CORS AJAX or an alternative like…
cloudfeet
  • 2,528
  • 17
  • 22
9
votes
4 answers

Is a backend API server vulnerable to CSRF?

We recently ran a Veracode SAST scan on our application and discovered that it has a CSRF. However, I wanted to check whether this is really true or it's just a false positive. Our application is a pure backend server. Serving JSON APIs to the…
Saif
  • 193
  • 1
  • 4
8
votes
1 answer

Passing PHP code directly into JavaScript in HTML5

I want to pass a PHP string directly to a JavaScript variable and keep the load on the server to a minimum. I have the following JavaScript in an PHP file for doing this: ...
flen
  • 205
  • 1
  • 6
7
votes
3 answers

Encoding output in JSON HTTP API

I'm the author of a JSON REST API. This REST API is consumed by various clients, such as HTML/JS-clients, .NET clients (console applications) and Ruby clients. The output of the API is in JSON format, so it's formatted according to JSON rules and…
Nitradamus
  • 83
  • 1
  • 3
7
votes
1 answer

Can this self-XSS be extended?

I have a textbox which makes a call to an API everytime the text has changed. The API returns JSON but executes any Javascript within the JSON returned (tested with Alert()). This textbox value is not persistent so saving does not result in a stored…
iso123
  • 95
  • 5
6
votes
1 answer

Benefit to specifying JSON Content-Type character set?

According to the OWASP Application Security Verification Standard: V11.3 Verify that every HTTP response contains a content type header specifying a safe character set (e.g., UTF-8). According to the RFC for the application/json Media…
oggmonster
  • 285
  • 1
  • 2
  • 5
6
votes
1 answer

Does returning Access-Control-Allow-Origin: * weaken the security of JSON GET responses?

The W3C CORS recommendation states: Certain types of resources should not attempt to specify particular authorized origins, but instead either deny or allow all origins. ... 3. A GET response whose entity body happens to parse as …
Matt McClure
  • 161
  • 4
6
votes
3 answers

XSS : Content-type: application/json

Background information - Application responds to request to a particular URL with content-type: application/json JSON response contains a parameter from the request Escapes the quote with a slash Doesn't do an eval on response Responds to requests…
Sachin Kumar
  • 820
  • 3
  • 9
  • 14
5
votes
3 answers

ADFS 2012 R2 (3.0) JSON web token validation

Our client would like for us to utilize ADFS 2012 R2 (aka 3.0) as the primary means for two security features in internal apps that we are building: The web app (there are two .NET & Angular) and an iOS app will use the OAUTH flow within ADFS Upon…
soglm
  • 51
  • 1
  • 1
  • 3
5
votes
2 answers

JavaScript eval() to parse JSON after sanitizing with regexes — is XSS possible?

Is possible to bypass my regex and execute any JavaScript?