JSON 安全最佳实践? [英] JSON security best practices?
问题描述
在研究 JSON vs XML 的问题时,我遇到了这个问题.现在,首选 JSON 的原因之一被列为 Javascript 中转换的容易性,即使用 eval().现在,从安全角度来看,这立即让我觉得有潜在问题.
While researching the issue of JSON vs XML, I came across this question. Now one of the reasons to prefer JSON was listed as the ease of conversion in Javascript, namely with the eval(). Now this immediately struck me as potentially problematic from a security perspective.
所以我开始对 JSON 的安全方面进行一些研究,并在这篇博文中介绍了 JSON 并不像人们想象的那么安全.这部分突出:
So I started doing some research into the security aspects of JSON and across this blog post about how JSON is not as safe as people think it is. This part stuck out:
更新:如果您使用 JSON 100%正确,那么你只会有顶层对象.数组,字符串、数字等都将是包裹.一个 JSON 对象将失败到 eval() 因为 JavaScript解释器会认为它在看一个块而不是一个对象.这防患于未然这些攻击,但它仍然是最好的保护您的安全数据不可预测的网址.
Update: If you are doing JSON 100% properly, then you will only have objects at the top level. Arrays, Strings, Numbers, etc will all be wrapped. A JSON object will then fail to eval() because the JavaScript interpreter will think it's looking at a block rather than an object. This goes a long way to protecting against these attacks, however it's still best to protect your secure data with un-predictable URLs.
好的,这是一个很好的开始规则:顶级的 JSON 对象应该始终是对象,而不是数组、数字或字符串.对我来说,这听起来像是一条很好的规则.
Ok, so that's a good rule to start with: JSON objects at the top level should always be objects and never arrays, numbers or strings. Sounds like a good rule to me.
在 JSON 和 AJAX 相关的安全性方面,还有什么需要做或避免的吗?
Is there anything else to do or avoid when it comes to JSON and AJAX related security?
上述引用的最后一部分提到了不可预测的 URL.有没有人有更多关于这方面的信息,尤其是你如何在 PHP 中做到这一点?我在 Java 方面比 PHP 更有经验,而且在 Java 中这很容易(因为您可以将整个范围的 URL 映射到单个 servlet),而我所做的所有 PHP 都将单个 URL 映射到 PHP 脚本.
The last part of the above quote mentions unpredictable URLs. Does anyone have more information on this, especially how you do it in PHP? I'm far more experienced in Java than PHP and in Java it's easy (in that you can map a whole range of URLs to a single servlet) whereas all the PHP I've done have mapped a single URL to the PHP script.
此外,您究竟如何使用不可预测的 URL 来提高安全性?
Also, how exactly do you use unpredictable URLs to increase security?
推荐答案
来自博客 (CSRF) 的主要安全漏洞不是特定于 JSON 的.使用 XML 也是一个大漏洞.事实上,根本没有异步调用也同样糟糕;常规链接同样容易受到攻击.
The main security hole from the blog (CSRF), is not JSON specific. It's just as big a hole using XML instead. Indeed, it's just as bad with no asynchronous calls at all; regular links are just as vulnerable.
当人们谈论唯一 URL 时,他们通常不是指 http://yourbank.com/json-api/your-name/big-long-key-unique-to-you/statement.相反,更常见的是使请求的其他内容变得独特;即 FORM 帖子中的值,或 URL 参数.
When people talk about unique URLs, they generally DON'T mean http://yourbank.com/json-api/your-name/big-long-key-unique-to-you/statement. Instead, it's more common to make something else about the request unique; namely a value in the FORM post, or a URL parameter.
通常这涉及在服务器端插入到 FORM 中的随机令牌,然后在发出请求时进行检查.
Usually this involves a random token inserted into the FORM on the server side, and then checked when a request is made.
数组/对象对我来说是个新闻:
The array/object thing is news to me:
Script-Tags:攻击者可以嵌入一个指向远程服务器的脚本标记浏览器将有效地eval() 为您回复,但是它丢弃响应,因为JSON 是所有响应,您很安全.
Script-Tags: The attacker can embed a script tag pointing at a remote server and the browser will effectively eval() the reply for you, however it throws away the response and since JSON is all response, you're safe.
在这种情况下,您的网站根本不需要使用 JSON 就容易受到攻击.但是,是的,如果攻击者可以将随机 HTML 插入您的网站,那您就干杯了.
In that case, your site doesn't need to use JSON at all to be vulnerable. But yeah, if an attacker can insert random HTML into your site, you're toast.
这篇关于JSON 安全最佳实践?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
