IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [json]

JSON (JavaScript Object Notation) is an open standard for encoding data in both human-readable and machine-readable form, usually for transmission to or from a web API. Use this tag for security issues relating to the format itself, or where the fact that the data is json-formatted is core to the question. For questions about web APIs where the security issue does not depend on the data format, please use [api]

JSON (JavaScript Object Notation) is an open standard for encoding data in both human-readable and machine-readable form, usually for transmission to or from a web API.

Use this tag for security issues relating to the format itself, or where the fact that the data is json-formatted is core to the question. For questions about web APIs where the security issue does not depend on the data format, please use

Links:

122 questions
5
votes
3 answers

XSS breaking out of JSON.parse and href attribute

I have a pretty complicated case where I try to perform a stored XSS attack when uploading a jpg file with malicious filename. Whitespace is being filtered but it seems single and double quotes along with < > are not filtered. Moreover slash / and…
XII
  • 524
  • 1
  • 6
  • 14
5
votes
0 answers

Is there a good way to store OAuth2 tokens for a native application?

Currently I have a native PC application that builds and uploads a configuration to an embedded Linux device (i.e. the client). This device connects to Google Calendar via their OAuth2 API. The configuration requires: A resource owner to login to…
Mogarrr
  • 151
  • 2
5
votes
1 answer

Preventing replay attacks with JWT

I am currently building a RESTful API that will be used for a web and mobile app. Authentication to the API will be done using JSON Web Tokens. When using JWT, we can use the exp claim to expire the token after a specific time. This, combined with…
BenM
  • 153
  • 1
  • 4
4
votes
1 answer

Request signing for REST API

I am building a REST API that will receive requests like: GET /api/entities GET /api/entities?filter=X&sort=Y This seems straight forward: have the client HMAC(path + query, key), send me a key identifier and HMAC in a header or something, and then…
Jason
  • 43
  • 1
  • 3
4
votes
1 answer

Is there a benefit of using stateless JWT over SHA256 hash for API tokens?

Does it make sense to use stateless JWT (without persistent storage) over plain SHA256? Example scenario: User logs in User token generated as follows: a. JWT.encode(userId, 'secret') or b. SHA256(userId + 'secret') Client app sends request with…
SyBer
  • 143
  • 1
  • 5
4
votes
1 answer

REST API stateless authentication using social login

I am implementing a REST API for our mobile applications in which user will login using the SDKs of various social media. Currently, the login strategy is as follows: The token(s) (access_token in case of Facebook, access_token and refresh_token in…
akashg
  • 143
  • 6
4
votes
1 answer

How secure is HMAC

I'm a building a RESTful stateless API and I'm using a token for authentication. The problem I'm having is I'm not sure how secure HMAC is. I'm using a JSON Web Token library that let's me encrypt and decrypt the data I pass in. Basically, the way…
Gaston Sanchez
  • 143
  • 5
4
votes
1 answer

Is JSON Hijacking different than JSONP injection?

I am quite confused while understanding these two vulnerabilities. How are JSONP-related vulnerabilities different from JSON Hijacking?
PenGeek
  • 189
  • 1
  • 11
4
votes
1 answer

Reflected XSS via JSON executed with Burp, but how to do it in realistic conditions?

I am testing a scenario with Burp proxy. I am located on a website https://website.com/web There's an option there to delete an item, when you click it , a certain POST request is sent (XMLHttpRequest, no page refresh is happening) where I can…
fing
  • 175
  • 2
  • 2
  • 6
4
votes
1 answer

XSS not exploitable when POST data is sent in JSON?

There is a reflected XSS flaw in an application I am testing. Initially, the payload is sent in POST request as value of a JSON key and the response is also a JSON object. The returned value in the JSON object is directly used by client side…
entropy
  • 362
  • 3
  • 10
3
votes
2 answers

Assuring Client is Authorized to use JSON Web Token

JSON Web Tokens ( JWT ) are server-signed objects that the issuing server uses to identify a user, track session data and authorize requests. The fact that JWT are server-signed gives assurance that the token was produced by someone with access to…
StudentsTea
  • 206
  • 1
  • 3
  • 10
3
votes
1 answer

Choosing token over session or vice versa?

I wanted to build a secure user interaction to the server, but I stumbled upon using either token or session. Here are couple of options that I thought about: I learned JWT, built a token, and sent it back and forth between server and client in my…
Rockink
  • 49
  • 4
3
votes
2 answers

token based authentication attacks

JSON Web Token seems to be a very good tool to authenticate users. But I wonder if an attacker can take the token used by another user and use it for his own attacks. And to be more precise what makes this method more secure.
Yazid
  • 73
  • 6
3
votes
1 answer

How is JWT implemented?

I'm using django-rest-framework-jwt in one of my APIs. As you might know, the concept is simple: you send username and password and you get a token back. The token is not stored anywhere on the server. By sending the token in the header of…
Sam R.
  • 245
  • 1
  • 3
  • 10
3
votes
2 answers

Sending data from Android client to database

I have created an Android app which sends data to a web service. Right now the user sends his test results (test id, test name, test time, and user ID). The problem is that I send the data from the client to the web service in JSON; the web service…
user63843
1 2
3
8 9