如何在服务器端使用JSON Sanitizer? [英] How to use JSON Sanitizer at Server Side?
问题描述
我想实现OWASP提到的"JSON Sanitizer"验证. 我的理解是,这需要在两个地方完成:
I want to implement the 'JSON Sanitizer' validation as mentioned by OWASP. My understanding is that this needs to be done in two places:
-
从客户端或其他系统收到的
-
JSON数据(在请求中)-需要在服务器端进行清理,然后再处理
JSON data (in Request) received from Client or Other Systems - This needs to be sanitized at Server side before being processed
要发送给客户端的JSON数据(作为响应)-在发送给客户端之前,需要在服务器端进行清理
JSON data (in Response) to be sent to Client - This needs to be sanitized at Server side before being sent to client
仅在JSON中调用清理方法就足够了 在该JSON数据上清理库?
Is it sufficient that I just call a sanitizing method in JSON Sanitizing library on that JSON Data ?
将执行所有消毒处理还是在这方面进行任何其他验证?
Will that perform all sanitization or are there any other validations to be done in this regard ?
推荐答案
OWASP JSON Sanitizer 将类似JSON的输入转换为语法有效的&可嵌入的JSON.
The OWASP JSON Sanitizer converts JSON-like input to syntactically valid & embeddable JSON.
它通常用于采用"JSON"由服务器上的临时方法(如
It is typically used to take “JSON” produced by ad-hoc methods on the server like
"{ \"output\": " + stringOfJson + " }"
,并确保它在语法上有效 ,以便可以将其传递给客户端上的JSON.parse
,并传递给 embeddable ,以便可以将其嵌入更大的HTML或XML响应
and make sure it's syntactically valid so that it can be passed to JSON.parse
on the client, and embeddable so that it can be embedded in a larger HTML or XML response like
<script>var jsonUsedByScriptsOnPage = {$myJson};</script>
如果您的客户端可能发送狡猾的JSON,则绝对可以在服务器上使用它.
You can definitely use it on your server if your clients are likely to send dodgy JSON.
请注意,您的服务器仍需要将JSON视为不可信,就像它在未使用有效凭据到达的响应中接收到的其他任何字符串一样.
Note that your server still needs to treat the JSON as untrusted just as it would any other string it receives in a response that does not arrive with valid credentials.
https://github.com/OWASP/json-sanitizer#security 解释
消毒JSON无法保护应用程序免受混淆的代理攻击
var myValue = JSON.parse(sanitizedJsonString);
addToAdminstratorsGroup(myValue.propertyFromUntrustedSource);
这篇关于如何在服务器端使用JSON Sanitizer?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!