10

I want to implement web services in Java EE whose response is going to be a JSON. This is my first attempt for doing so but before that I just want to know are there any security issues with JSON because everywhere in many blogs I read it is mentioned Like "JSON is not secured in comparison to XML". JSON has several advantages like easy to use, greater speed.

So anyone can explain me the truth whether JSON is really unsecured or not. If so why it is. Please explain with an example.

There are couple old articles on the topic:

JSON vs XML - 2006

  • concerns about eval

JSON is not as safe as people think it is

  • Claims only protection for non-public data available via JSON is to use unique urls.
  • CSRF (Cross Site Request Fogery) - 2007
  • Array hack highjacking parsing of JavaScript by browser.
informatik01
  • 16,038
  • 10
  • 74
  • 104
Nikhil Agrawal
  • 26,128
  • 21
  • 90
  • 126
  • 2
    Could you post a link to "everywhere in many blogs"? I find this hard to believe... – Tim Pietzcker Apr 30 '13 at 06:45
  • 1
    @Tim Pietzcker http://www.subbu.org/blog/2006/08/json-vs-xml see this but what he is trying to explain I am noit understanding. See the last point. – Nikhil Agrawal Apr 30 '13 at 06:46
  • 6
    Well, then you have read that there is no insecurity, unless you do the foolish thing to `eval()` data coming from an untrusted source. – Tim Pietzcker Apr 30 '13 at 06:47
  • 2
    Your linked example actually *does not* claim that JSON is any less secure than XML. Did you actually read the last sentence of the security section? I quote: "So unless I’m missing something, I don’t consider that JSON is insecure when compared to XML." – Mac Apr 30 '13 at 06:48
  • @TimPietzcker Can you provide an explanation what he is trying to explain. Please – Nikhil Agrawal Apr 30 '13 at 06:49
  • I'm tempted to change title to "Is it more dangerous to run `eval` with text coming from JSON or XML or user or other untrusted source"... – Alexei Levenkov Apr 30 '13 at 06:49
  • See Eli Agranti's answer. – Tim Pietzcker Apr 30 '13 at 06:50
  • @TimPietzcker read this http://incompleteness.me/blog/2007/03/05/json-is-not-as-safe-as-people-think-it-is/. He is explaining two issues. – Nikhil Agrawal Apr 30 '13 at 06:50
  • Consider reading some newer posts/recommendations too... The last link seem to be "if you have XSS or CSRF vulnerabilities on your site you may leak personal information". http://en.wikipedia.org/wiki/Cross-site_request_forgery contains some initial information on it. – Alexei Levenkov May 01 '13 at 16:09
  • @Alexei Levenkov Thanks for giving importance to this post. I will surely post new update after reading latest articles. – Nikhil Agrawal May 01 '13 at 16:11

7 Answers7

28

This is nonsense. Both, json and xml are just methods for representation of structured data. None of them could be considered as "more secured" or "less secured".

Andremoniy
  • 34,031
  • 20
  • 135
  • 241
  • but sir there are security issues when parsing with java script. So If I am building a phonegap application it is mandatory for me to use javascript only to parse it otherwise I have to built extra plugin for it. Should I use xml and +1 for your answer. – Nikhil Agrawal Apr 30 '13 at 06:55
  • 1
    If you are using Javascript, you should use json, because any `json` is a valid Javascript code. But it isn't related to security. – Andremoniy Apr 30 '13 at 06:57
  • 3
    @nikhil, the problem is with Javascript then and not with json or xml. – Prakash Nadar May 10 '13 at 15:22
  • 3
    xml isn't _just_ a data representation, it also can contain processing directives that can be used in attack vectors. See [Billion Laughs](http://en.wikipedia.org/wiki/Billion_laughs) attack and [External Entity Expansion](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing). Even popular frameworks have had [XML parsing security issues](http://www.gopivotal.com/security/cve-2013-4152) – Patrick Oct 11 '13 at 23:04
  • *it also contain processing directives* - really? Don't you think, that these "processing directives" - is how appropriate xml tags will be interpreted by target application? Absolutely incorrect statement. – Andremoniy Oct 14 '13 at 12:50
  • @Andremoniy I don't quite understand the point you are trying to make. The links I provided are attacks against XML parsers using features defined in the XML spec. The XML tags aren't application specific. – Patrick Oct 14 '13 at 20:36
  • The only way to make XML more secure is disable processing directives during parsing and processing process. There's plenty of CVE on this topic and they clearly show that it is still exploited by this day – Eir Nym May 08 '20 at 10:32
12

There is no difference security wise between JSON and XML. The "insecurities" referred to by people regarding JSON have to do with the way JSON can (but should never be) parsed in Javascript.

JSON is based on the syntax for coding objects in javascript, so evaluating a JSON result in javascript returns a valid object.

This may open JSON to a variety of javascript injection exploits.

The way to resolve this: don't use eval() to parse JSON in javascript, use a JSON parser and fix any security issues in your server that allow unescaped user generated content in the response.

Eli Algranti
  • 8,707
  • 2
  • 42
  • 50
  • I have no issues in using xml but due to the advantages of json I am planning to use it. So If I am building a phonegap application it is mandatory for me to use javascript only to parse it otherwise I have to built extra plugin for it. Should I use xml and +1 for your answer – Nikhil Agrawal Apr 30 '13 at 06:54
  • There is no need to build a plugin for that. See this: http://stackoverflow.com/questions/4935632/how-to-parse-json-in-javascript – Eli Algranti Apr 30 '13 at 06:56
  • but ultimately it is also javascript . – Nikhil Agrawal Apr 30 '13 at 06:57
  • Yes and no, JSON is a browser implemented parser, json2.js is a javascript parser. The important thing is these parsers are secure they will not run injected Javascript code and since you do not have to write them it is no different than using an XML parser. Feel free to use JSON; all thing being equal I prefer it over XML. – Eli Algranti Apr 30 '13 at 07:00
  • Thank you for the wonderful explanation. If I am getting any other info or threat . I am going to mention it here only. – Nikhil Agrawal Apr 30 '13 at 07:04
4

There is no more secure version. There are other features to consider though:

Example 1

Example 2

It doesn't matter whether you work with java, php or perl. They can all parse json and xml. json is lightweight, though xml can handle more. I would say, start with json unless you really need features of xml.

Community
  • 1
  • 1
Menno
  • 12,175
  • 14
  • 56
  • 88
4

There is no security benefit to go with one or the other. Both formats are meant to provide a simple protocol for sending data, and neither use encryption by default (you could add something yourself). JSON is generally considered faster, since it takes less characters to assemble. It is also easy to use in JavaScript, since JSON is simply JavaScript Object Notation, and all JavaScript Objects can be converted to or from JSON representation.

Many (especially newer) developers prefer using XML because of its readability. It is structured in such a way that it is much easier for a human to read through it. This of course is what makes it bulkier than JSON, but it is by no means less secure.

Vulnerabilities that can occur as a result of these transfer protocols are a result of bad parsing. Parsers for services on an open network cannot simply assume that the data is valid, since that may lead to attacks such as code injection - but that has nothing to do with JSON or XML.

Phil
  • 35,852
  • 23
  • 123
  • 164
2

Both of the formats are representing data therefore there is no difference in security, i have been using JSON for years and never had any security issues.

Mike Kuasinski
  • 139
  • 1
  • 1
  • 8
2

JSON and XML both serves as a medium for server client communication. So, why are security concerns with one and not other?

The fundamental difference is that JSON(JavaScript Object Notation) as name suggests is very near and dear to JavaScript and hence in design of some JavaScript methods and functionalities, JavaScript treats JSON strings as it's cup of tea and tries to interpret it directly, which give workarounds to attackers to fool JavaScript interpreter to run malicious JavaScript embedded in the string causing vulnerabilities, while XML has to go through a parsing stage to be parsed into an object making it harder to attack with. 2 such JavaScript functionalities are eval() method and tag.

How does these create a security vulnerabilities?

Although web follows the same-origin policy, historically there have been loopholes found to bypass it and malicious sites use them to send cross site request to authenticated user website, breaking the intent of same-origin policy.

Example : In spite of same-origin policy being in place, web has allowed some tags like <img> <script> to make cross origin GET requests.

let us say you are on a website www.authenticatedwebsite.com, but lured to open a www.malicious.com which has a tag in its html <script src="www.authenticatedwebsite.com/get-user-order-history" />

Attacker from www.malicious.com use this script tag behavior to access your private data from www.authenticatedwebsite.com.

Now, how does a script tag which is calling a src url, store the url response to a javascript object[to perform operations like POSTing it to malicious site server]?

Here comes the role of JSON and XML proves out to be safer here. As JavaScript understands JSON pretty well, some JavaScript interpreters interprets naked JSON string as a valid JavaScript and run it.

What can running a JSON string potentially do, as it is still not assigned to a variable?

This can be achieved by another fancy hack. If the returned JSON string represents an array. JavaScript will try to run the constructor of Array class. Now it is possible to override the constructor of Array in JavaScript. You can do something like : 

Array = function(){ yourObject = this };

This is basically overriding JavaScript Array constructor, such that whenever JavaScript calls constructor, the current interpreted array is assigned to yourObject, thus giving malicious website access to your private data.

Now, this attack can be used with variants of JSON strings, with more sophisticated hacks.

Although above represents a valid scenario, where JSON can be dangerous as a return format of your GET APIs. This is actually possible in only some versions of some browsers, and as far as I know, all modern versions of famous browsers have mitigated it, but as your user base can be divided across versions of browsers, you need to be careful with GET APIs giving out private information in naked JSON format.

One of the technique used to circumvent this is adding a while(true) in front of your JSON response strings, which will never allow JavaScript interpreter to reach to the actual string. But it creates parsing overhead on your client side.

Another possible mishaps that JSON can cause is use of eval() method on browser client side to parse JSON. As eval() has capability to run script, if your JSON string contains some hidden script which eval() runs and perform dangerous actions what attacker injected script asks it to do, can prove out to be security issues for your system. But as others have mentioned, this attack can be easily prevented by strictly abandoning eval() method as your JSON parser everywhere in client code. This vulnerability plug in is highly important for websites which stores user generated content.

greperror
  • 5,156
  • 3
  • 20
  • 29
0

This post does a good job comparing the security issues found in the two data sharing formats. It even has code snippets with explanations of how attacks can be pulled off on the common vulnerabilities like XXE and DTD validation. Then it shows how to remediate/harden against these security issues so that both XML and JSON can be used safely.

https://blog.securityevaluators.com/xml-vs-json-security-risks-22e5320cf529

In terms of security, XML parsers in their default configuration are open to XXE injection attacks and DTD validation attacks, so XML data exchanges need to be hardened if used.

JSON, on the other hand, is in itself secure in its default state, but as soon as JSONP is utilized to bypass Same-Origin Policy restrictions (CSRF attacks), it becomes vulnerable because:

it allows cross-origin exchanges of data.

The author summarizes the comparison here:

In regard to security, processing untrusted Internet-facing requests is one of the most basic functions of an XML or JSON parser. Unfortunately, common XML parsers are not suitable for this purpose in their default configuration; only with hardening to disable external entity expansion and external DTD validation are they safe. Conversely, JSON parsing is almost always safe, so long as the programmer uses modern techniques rather than JSONP. As long as web developers are aware of these security risks and take the steps to defend against them, either option is completely viable in the current web environment.

goopcat
  • 105
  • 1
  • 8