How to use JSON Sanitizer at Server Side?

◇◆丶佛笑我妖孽 提交于 2019-12-07 07:22:21

问题


I want to implement the 'JSON Sanitizer' validation as mentioned by OWASP. My understanding is that this needs to be done in two places:

  1. JSON data (in Request) received from Client or Other Systems - This needs to be sanitized at Server side before being processed

  2. JSON data (in Response) to be sent to Client - This needs to be sanitized at Server side before being sent to client

Is it sufficient that I just call a sanitizing method in JSON Sanitizing library on that JSON Data ?

Will that perform all sanitization or are there any other validations to be done in this regard ?


回答1:


The OWASP JSON Sanitizer converts JSON-like input to syntactically valid & embeddable JSON.

It is typically used to take “JSON” produced by ad-hoc methods on the server like

"{ \"output\": " + stringOfJson + " }"

and make sure it's syntactically valid so that it can be passed to JSON.parse on the client, and embeddable so that it can be embedded in a larger HTML or XML response like

<script>var jsonUsedByScriptsOnPage = {$myJson};</script>

You can definitely use it on your server if your clients are likely to send dodgy JSON.

Note that your server still needs to treat the JSON as untrusted just as it would any other string it receives in a response that does not arrive with valid credentials.

https://github.com/OWASP/json-sanitizer#security explains

sanitizing JSON cannot protect an application from Confused Deputy attacks

var myValue = JSON.parse(sanitizedJsonString);
addToAdminstratorsGroup(myValue.propertyFromUntrustedSource);


来源:https://stackoverflow.com/questions/29791629/how-to-use-json-sanitizer-at-server-side

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!