How to use JSON Sanitizer at Server Side?

Question

I want to implement the 'JSON Sanitizer' validation as mentioned by OWASP. My understanding is that this needs to be done in two places:

1. JSON data (in Request) received from Client or Other Systems - This needs to be sanitized at Server side before being processed

2. JSON data (in Response) to be sent to Client - This needs to be sanitized at Server side before being sent to client

Is it sufficient that I just call a sanitizing method in JSON Sanitizing library on that JSON Data ?

Will that perform all sanitization or are there any other validations to be done in this regard ?

Answer 1

The OWASP JSON Sanitizer converts JSON-like input to syntactically valid & embeddable JSON.

It is typically used to take “JSON” produced by ad-hoc methods on the server like

"{ \"output\": " + stringOfJson + " }"

and make sure it's syntactically valid so that it can be passed to JSON.parse on the client, and embeddable so that it can be embedded in a larger HTML or XML response like

<script>var jsonUsedByScriptsOnPage = {$myJson};</script>

You can definitely use it on your server if your clients are likely to send dodgy JSON.

Note that your server still needs to treat the JSON as untrusted just as it would any other string it receives in a response that does not arrive with valid credentials.

https://github.com/OWASP/json-sanitizer#security explains

sanitizing JSON cannot protect an application from Confused Deputy attacks

var myValue = JSON.parse(sanitizedJsonString);
addToAdminstratorsGroup(myValue.propertyFromUntrustedSource);