JSON Interoperability Vulnerability Labs

by do son · April 15, 2021

JSON Interoperability Vulnerability Labs

Companion labs to “An Exploration of JSON Interoperability Vulnerabilities”

Description

These are the companion labs to my research article “An Exploration of JSON Interoperability Vulnerabilities”.

Lab 1: Free purchases in an E-commerce Application

Key Collision Attacks: Inconsistent Duplicate Key Precedence
Inconsistent Large Number Representations

This lab demonstrates a vulnerability pattern when two services use JSON parsers with inconsistent duplicate key precedence. The Cart service will decode a positive quantity, while the Payment service will decode a negative quantity. In this example, this will lead to an attacker receiving items without paying for them.

There are two services:

Cart API (port 5000): Python, stdlib JSON
Payments API (port 5001): Go, buger/jsonparser library

Lab 2: Privilege Escalation in a Multi-tenant Application

Key Collision Attacks: Character Truncation

These labs bind to host ports 5000-5004, by default.

Let’s consider a multi-tenant application where an organization admin is able to create custom user roles. We also know that users that have cross-organizational access are assigned the internal rolesuperadmin . Let’s try to escalate privileges.

There are two APIs:

User API (port 5002): Python, stdlib JSON
Permissions API (port 5003): Python, stdlib JSON
Admin API (port 5004): Python, ujson

Attack Techniques

1. Key Collisions

Inconsistent Duplicate Key Precedence

{"qty": 1, "qty": -1}

Character Truncation

Truncation in last-key precedence parsers (flip order for the first-key precedence)

Comment Truncation

These documents take advantage of inconsistent support of comments and quote-less string support:

{"qty": 1, "extra": 1/*, "qty": -1, "extra2": 2*/}

{"qty": 1, "extra": a/*, "qty": -1, "extra2": b*/}

{"qty": 1, "extra": "a/*", "qty": -1, "extra2": "b"*/}

{"qty": 1, "extra": "a"//, "qty": -1}

2. Number Decoding

Inconsistent Large Number Decoding

These large numeric values may be converted to Strings (e.g., “+Infinity”), which may lead to type-juggling vulnerabilities. Or, they may be converted to MAX_INT/MIN_INT, rounded values, or 0, which may allow a bypass of business logic.

{"qty": 999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999}

{"qty": -999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999}

{"qty": 1.0e4096}

{"qty": -1.0e4096}

Download

Author

Twitter: @theBumbleSec

GitHub: the-bumble

JSON Interoperability Vulnerability Labs

Search

Brilliantly

Content & Links