How to use JSON Sanitizer at Server Side?

Asked 22/4, 2015 at 8:20 Answered 16/2, 2021 at 21:13

Solved json owasp sanitization jsonexception

I want to implement the 'JSON Sanitizer' validation as mentioned by OWASP. My understanding is that this needs to be done in two places:

JSON data (in Request) received from Client or Other Systems - This needs to be sanitized at Server side before being processed
JSON data (in Response) to be sent to Client - This needs to be sanitized at Server side before being sent to client

Is it sufficient that I just call a sanitizing method in JSON Sanitizing library on that JSON Data ?

Will that perform all sanitization or are there any other validations to be done in this regard ?

Hatfield answered 22/4, 2015 at 8:20 Comment(0)

The OWASP JSON Sanitizer converts JSON-like input to syntactically valid & embeddable JSON.

It is typically used to take “JSON” produced by ad-hoc methods on the server like

"{ \"output\": " + stringOfJson + " }"

and make sure it's syntactically valid so that it can be passed to JSON.parse on the client, and embeddable so that it can be embedded in a larger HTML or XML response like

<script>var jsonUsedByScriptsOnPage = {$myJson};</script>

You can definitely use it on your server if your clients are likely to send dodgy JSON.

Note that your server still needs to treat the JSON as untrusted just as it would any other string it receives in a response that does not arrive with valid credentials.

https://github.com/OWASP/json-sanitizer#security explains

sanitizing JSON cannot protect an application from Confused Deputy attacks
var myValue = JSON.parse(sanitizedJsonString);
addToAdminstratorsGroup(myValue.propertyFromUntrustedSource);

Galvanize answered 27/4, 2015 at 15:19 Comment(6)

this helps. so how can ensure that the JSON Payload does not have any malicious script to do attacks like XSS ? is there any other library that can validate if the JSON payload has any script content ? – Hatfield 28/4, 2015 at 3:34

by >dodgy< do you mean incorrect format or malicious content (but correctly formatted) ? – Hatfield 28/4, 2015 at 11:7

@yathirigan, Both. If an otherwise trustworthy client sends you JSON composed by ad-hoc methods, '{ "secret": "' + secret + '", "foo": "' + foo + '" }' then an attacker could cause that client to send you a message that violates some contract between you. For example, if they cause foo to be '\", \"otherProperty\": \"value' then they've effectively introduced a property that the client did not expect to be there. No amount of sanitization that sees only the string can reinforce property or object boundaries. – Galvanize 28/4, 2015 at 13:11

The library does well, but doesn't cope with quotes screening - it splits string into several fields instead. Had to write own JsonUtils.sanitize(). – Hierophant 12/10, 2020 at 12:21

@Hierophant We are also at the point writing our own method. Are you able to share yours? – Marola 15/2, 2021 at 17:12

@Marola see my answer below - https://mcmap.net/q/1320090/-how-to-use-json-sanitizer-at-server-side. I've started with an expanding directed approach, see if it's not too limiting for you. – Hierophant 15/2, 2021 at 17:45

The OWASP JSON Sanitizer doesn't cope with quotes screening - it splits string into several fields instead. So I've written own sanitize method, quite primitive though - if you see any security caveats, I'm open to suggestions, please share.

/**
 * Helper methods to validate data.
 */
@UtilityClass
public class ValidationUtils {

/**
 * Removes disallowed symbols from string to prevent input injection.
 * @param input User input with possible injection.
 * @return Value without injection-sensible symbols.
 */
public String sanateInjection(String input){
    return input.replaceAll("[^A-Za-z0-9 ]", "");
  }
}

Hierophant answered 15/2, 2021 at 17:43 Comment(2)

This filters out everything which is not an alphanumerical character (and blank). Where do you apply it to? To the full json string? Or to values only? Because this filters out many valid characters like .,;-_= I mean if you run this, your strings are definitely save ;-) – Marola 16/2, 2021 at 10:22

Yupp. Only to field input, usually alphanumeric. You have to expand logics if you expect text input with chars that could be used to create an injection attack. – Hierophant 16/2, 2021 at 13:35

I want to know whether some json string contains <script> tags which can later be used to execute dynamic content. But since the return value of the sanitize()method would escape it there is no way to detect whether something like that is in there. So the following works for me:

public static String checkJsonForScripts(String input) {
    if (!JsonSanitizer.sanitize(input).equals(input)) {
        log.error("Problematic string found" + input);
        throw new YourException(...);
    }
    return input;
}

Marola answered 16/2, 2021 at 21:13 Comment(0)

Recommended topics

Hot tags