JSON server side validation bypass DEMO

by Krzysztof Kotowicz

This is a exploit demo of a vulnerable server side input validation. The vulnerable page (see full source) accepts JSON data posted in a form and then uses it in Javascript. To protect from XSS, it validates server-side and only allows certain characters: -a-zA-Z0-9,.:"{} and a space, making it very tricky to find a bypass. But theoretically it's possible in all browsers and, thanks to Sidarckcat and Thornmaker research there's a working vector for IE.

Lessons to learn:

• If you accept JSON input, make sure it's a legit JSON input (JSON's is a subset of Javascript!). In PHP you can use json_decode()
• Validating JSON using character whitelist is a dead end. Don't do it. There are really tricky vectors around.
• Don't use eval! There's JSON.parse() built into newer browsers, for older - use this.

Read more:

• http://p42.us/ie8xss/IE8%20Filters.ppt
• http://blog.mindedsecurity.com/2011/08/ye-olde-crockford-json-regexp-is.html
• https://github.com/douglascrockford/JSON-js/blob/master/json2.js

And now for the exploit