CODEWITHSUNDEEP
jsonowaspsanitizationjsonexception
yathirigan
yathirigan

Reputation: 6059

How to use JSON Sanitizer at Server Side?

I want to implement the 'JSON Sanitizer' validation as mentioned by OWASP. My understanding is that this needs to be done in two places:

  1. JSON data (in Request) received from Client or Other Systems - This needs to be sanitized at Server side before being processed

  2. JSON data (in Response) to be sent to Client - This needs to be sanitized at Server side before being sent to client

Is it sufficient that I just call a sanitizing method in JSON Sanitizing library on that JSON Data ?

Will that perform all sanitization or are there any other validations to be done in this regard ?

Upvotes: 8

Views: 27764

Answers (3)

Lonzak
Lonzak

Reputation: 9816

I want to know whether some json string contains <script> tags which can later be used to execute dynamic content. But since the return value of the sanitize()method would escape it there is no way to detect whether something like that is in there. So the following works for me:

public static String checkJsonForScripts(String input) {
    if (!JsonSanitizer.sanitize(input).equals(input)) {
        log.error("Problematic string found" + input);
        throw new YourException(...);
    }
    return input;
}

Upvotes: 0

Zon
Zon

Reputation: 19880

The OWASP JSON Sanitizer doesn't cope with quotes screening - it splits string into several fields instead. So I've written own sanitize method, quite primitive though - if you see any security caveats, I'm open to suggestions, please share.

/**
 * Helper methods to validate data.
 */
@UtilityClass
public class ValidationUtils {

/**
 * Removes disallowed symbols from string to prevent input injection.
 * @param input User input with possible injection.
 * @return Value without injection-sensible symbols.
 */
public String sanateInjection(String input){
    return input.replaceAll("[^A-Za-z0-9 ]", "");
  }
}

Upvotes: 1

Mike Samuel
Mike Samuel

Reputation: 120496

The OWASP JSON Sanitizer converts JSON-like input to syntactically valid & embeddable JSON.

It is typically used to take “JSON” produced by ad-hoc methods on the server like

"{ \"output\": " + stringOfJson + " }"

and make sure it's syntactically valid so that it can be passed to JSON.parse on the client, and embeddable so that it can be embedded in a larger HTML or XML response like

<script>var jsonUsedByScriptsOnPage = {$myJson};</script>

You can definitely use it on your server if your clients are likely to send dodgy JSON.

Note that your server still needs to treat the JSON as untrusted just as it would any other string it receives in a response that does not arrive with valid credentials.

https://github.com/OWASP/json-sanitizer#security explains

sanitizing JSON cannot protect an application from Confused Deputy attacks

var myValue = JSON.parse(sanitizedJsonString);
addToAdminstratorsGroup(myValue.propertyFromUntrustedSource);

Upvotes: 7

Related Questions