JSON injection in RESTful

Question

I'm new to web applications and haven't got much info. in google for JSON Injection.
Can you please provide some insight to the below questions.

1. What is JSON Injection?
2. Is JSON Injection is client-side or server-side attack?
3. How can you handle JSON Injection security aspects in terms of RESTful Application?

Answer 1

What is JSON Injection?

It's an attack that utilize some vulnerability about how the server read the JSON informations.

Is JSON Injection is client-side or server-side attack?

I can't say how creative an attack could be. Mostly is considered a server-side attack, because the main objective is manipulate the JSON sent to the server to see if the server handle this JSON in a unexpected way, producing the desired effect for the malicious user or showing some sensible information that can be used for him.

How can you handle JSON Injection security aspects in terms of RESTful Application?

Security is really a complex subject, even involving JSON. But I'm sure that you can take some basic actions to prevent the most obvious problems.

Some basic actions:

• Make your system handle all kind of exceptions. Always show a nice message for the user without any sensitive detail about your system. This prevents that some stacktrace error revels some information that can be useful for the malicious user.
• Declare charset when outputting the content type for JSON responses. Most frameworks to this already.
• Try not use sequencial numbers for resource identifiers. Use UUID/GUID instead.
• Avoid reading/building JSON by hand, use the framework.

And read the OWASP document about AJAX. They show some good advices related with JSON.