How to use JSON Sanitizer server side?
I want to implement the JSON Sanitizer validation mentioned by OWASP. I understand that this needs to be done in two places:
-
JSON data (in request) received from client or other systems - this needs to be cleaned up on the server side before processing
-
JSON data (in response) to be sent to the client - this needs to be cleared on the server side before being sent to the client
Is it enough that I just call the sanitization method in JSON Splitting the library into JSON data?
Will all sanitation be done or any other validation for that matter?
source to share
OWASP JSON Sanitizer converts JSON-like input to syntactically correct and embeddable JSON.
It is usually used to generate "JSON" generated by ad-hoc methods on the server, for example
"{ \"output\": " + stringOfJson + " }"
and make sure it is syntactically correct so that it can be passed to JSON.parse
on the client and inserted into it so that it can be embedded in a larger HTML or XML response like
<script>var jsonUsedByScriptsOnPage = {$myJson};</script>
You can definitely use it on your server if your clients are likely to send quirky JSON.
Note that your server still needs to treat JSON as untrustworthy, just like any other string it receives in a response that doesn't come with valid credentials.
https://github.com/OWASP/json-sanitizer#security explains
JSON Disinfection Cannot Protect Application From Confused Vice Attack
var myValue = JSON.parse(sanitizedJsonString); addToAdminstratorsGroup(myValue.propertyFromUntrustedSource);
source to share