[langsec-discuss] Safe parser, unsafe data

travis+ml-langsec at subspacefield.org travis+ml-langsec at subspacefield.org
Fri Apr 24 01:50:15 UTC 2015


On a tangential note, this guy had an interesting presentation:

https://vimeo.com/54209287
Abraham Kang, "Web Framework Vulnerabilities"

He said that the more he looks, the more he finds "mass assignment"
vulnerabilities in these frameworks, often during object creation.

He said in particular, if an entity has a pointer into another table,
while assigning to the object during serialization could also often
cross over into the referent and overwrite an entity in an entirely
different table.

I looked briefly into known JSON vulns.  A few notes on this:

Javascript has weird operators.  I get the feeling the ECMA standard
was more-or-less backengineered from an ad-hoc design:
https://dorey.github.io/JavaScript-Equality-Table/

Furthermore, there are some subtleties of type confusion (something
obscure but one of the few possible COBOL vulnerabilities) which
should be apparent from looking at that table.

Generally:
https://blog.whitehatsec.com/handling-untrusted-json-safely/

Problems with whitelisting:
http://stackoverflow.com/questions/19687443/security-vulnerability-caused-by-unicode-escapes-in-decoupled-json-service

Old browser interactions:
http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx/
http://haacked.com/archive/2009/06/25/json-hijacking.aspx/

Ruby magic regarding mass assignment & namespace issues & handler-things:
https://www.ruby-lang.org/en/news/2013/02/22/json-dos-cve-2013-0269/

Interaction with SQLi:
http://blog.kazuhooku.com/2014/07/the-json-sql-injection-vulnerability.html

This looks like possible countermeasure in Java:
https://www.owasp.org/index.php/OWASP_JSON_Sanitizer
https://code.google.com/p/json-sanitizer/
-- 
http://www.subspacefield.org/~travis/
"Computer crime, the glamor crime of the 1970s, will become in the
1980s one of the greatest sources of preventable business loss."
John M. Carroll, "Computer Security", first edition cover flap, 1977
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 834 bytes
Desc: not available
URL: <https://mail.langsec.org/pipermail/langsec-discuss/attachments/20150423/1b1f2493/attachment.sig>


More information about the langsec-discuss mailing list