Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How can I execute arbitrary code via JSON and how to sanitize the input

Tags:

python

json

security

jsonpickle

In the documentation of Python's jsonpickle module for JSON serialization and deserialization it states that

Loading a JSON string from an untrusted source represents a potential security vulnerability. jsonpickle makes no attempt to sanitize the input

But I wonder how is it possible for an attacker to execute arbitrary code via JSON messages?

Also, what is the best way to sanitize the input as suggested in the documentation? JSON data in my application is not trust-worthy (it came from the clients that send JSON messages).

like image 781
FrozenHeart Avatar asked Aug 07 '16 07:08

FrozenHeart

People also ask

Is JSON a security risk?

JSON alone is not much of a threat. After all, it's only a data-interchange format. The real security concerns with JSON arise in the way that it is used. If misused, JSON-based applications can become vulnerable to attacks such as JSON hijacking and JSON injection.

What is JSON security?

JavaScript Object Notation (JSON) security performs deep inspection of incoming packets/requests for web applications that use the JSON protocol to exchange data over HTTP.

Is JSON parse vulnerable?

The built-in functions (JSON. parse()) are not vulnerable so you can use them safely. However, custom deserialization packages for JavaScript have different types of vulnerabilities, depending on the approach used to deserialize data.

What is JSON loads in Python?

loads() method can be used to parse a valid JSON string and convert it into a Python Dictionary. It is mainly used for deserializing native string, byte, or byte array which consists of JSON data into Python Dictionary.

1 Answers

jsonpickle is not JSON. jsonpickle allows to create arbitrary Python-Objects that potentially do harmful things. Sanitizing means, that the JSON objects only contain data, that can be interpreted by jsonpickle. Normally wrong data would lead to exceptions, but can may be used to trigger unwanted behavior.

The __reduce__ exploit (see, for example Into The Jar | Exploitation of jsonpickle)

jsonpickle.decode('{"py/object": "list", "py/reduce":[{"py/type": "subprocess.Popen"}, ["ls"], null, null, null]}')

is only one direct way to execute any command. More subtle ways depend on your actual code.

So the short answer is, not to use jsonpickle in an untrusted environment. Use normal JSON and check the input before using it.

like image 178
Daniel Avatar answered Oct 26 '22 01:10

Daniel
Sign in to Comment

Related questions

How to interpret Singular Value Decomposition results (Python 3)?
How to structure python project with dot "." or underscore "-" in project/package name?
Python, why does mmap.move() fill up the memory?
How do I mask the padding in a BLSTM in Keras?
Python Visual Studio extension doesn't show errors
ImportError: libboost_iostreams.so.1.61.0: cannot open shared object file: No such file or directory
How to input data within Jupyter Notebook
sknn - input dimension mismatch on second fit
gensim: custom similarity measure
Python decoding issue with Chinese characters
Issue with passing string from Python to C shared lib using ctypes
Pymongo insert_many BulkWriteError
Is there any way to retrieve tweet activity using tweepy
Loop Counting Scoping In Python
How do I parse and write XML using Python's ElementTree without moving namespaces around?
Steepest descent spitting out unreasonably large values
Python: get every possible combination of weights for a portfolio
Python pygame error : Failed loading libpng.dylib: dlopen(libpng.dylib, 2): image not found
Preventing multiple matches in list iteration
Sentry django configuration - logger

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!