The json security defense technology
About the json
The JSON full name is the JSON with Padding, is based on the JSON format to solve the cross-domain resources request solution.Its basic principle is to use HTML element tag, remote call JSON file to achieve data transmission.If you want to be under the a.com domain to obtain the JSON data under the b.com (getUsers. JSON) :
You can first through the JSON the getUsers "Padding". The JSON output is:
For practical application in the process of the name of the callback, the background is dynamic output.The above example using PHP implementation is as follows:
At a.com then use the < script > remote calls, can be directly in the jQuery calls like this:
Security issues, however, has been accompanied by business development, the json also bring all kinds of security problems.This paper combs the json security attack and defense in the process of implementation.
JSON hijacked say again "JSON about, 2008 foreign security researchers have been mentioned by the risks of the JSON.This problem belongs to CSRF (Cross site request
forgery cross-site request forgery) attack category, when a web site through the json cross-domain (general subdomains) as the sensitive information after the user authentication is passed, the attacker can construct a malicious json call page, induced by the attacker to access, to achieve the goal of intercepting user sensitive information.A typical JSON about attack code is as follows:
This is the dark clouds on the report of a case against (WooYun - 2012-2012), when the attacker 360 website login and access the web page, personal privacy data (such as user name, email, etc.) may be captured by an attacker.
Although the attack has been for many years, but it is common in large portal site also, and because the safety consciousness weak, many enterprises did not realize the importance of this problem.
But many party a company began to attach importance to these security issues, working on the solution.One solution is to verify the source of the JSON file calls (Referer).It mainly use the < script > remote loading JSON files when sending Referer mechanism, output JSON data on its web site, to determine whether a Referer included in the white list.This method is feasible in theory, but the specific implementation process prone to two logical problem.
【 Referer filter (regular) loosely 】
For example, http://www.qq.com/login.php?Calback = cb this URL output data, use the Referer filtering.But unfortunately only filter contains qq.com such keywords, and the attacker can, by constructing a URL (such as http://www.qq.com.attack.com/attack.htm or http://www.attack.com/attack.htm?qq.com) to bypass the Referer defense.
【 empty Referer 】
Another way is by random token defense, this technology widely applied on tencent's website, for example through
http://r.qzone.qq.com/cgi-bin/tfriend/friend_show_qqfriends.cgi?Uin = [QQ number] & g_tk = [random token] output JSON.This scheme is effective, but also defense not achieve rigorous problems.For example this token to brute force by the following way:
Of course, all of these are pure offensive against "JSON hijacked" itself.In reality, many holes are mu