ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6398/java/rule.adoc
daniel-teuchert-sonarsource 7ef77a2844
Modify rule S6398: Add How to fix it in Spring (#3857) 
* Modify rule S6398: Add How to fix it in Spring

* Update rules/S6398/java/how-to-fix-it/spring.adoc

Co-authored-by: gaetan-ferry-sonarsource <112399173+gaetan-ferry-sonarsource@users.noreply.github.com>

---------

Co-authored-by: gaetan-ferry-sonarsource <112399173+gaetan-ferry-sonarsource@users.noreply.github.com>
2024-07-18 16:45:11 +02:00

88 lines
2.9 KiB
Plaintext
Raw Permalink Blame History

== Why is this an issue?
JSON injections occur when an application builds a JSON-formatted string from
user input without prior validation or sanitation. In such a case, a tainted
user-controlled value can tamper with the JSON string content. Especially,
unexpected arbitrary elements can be inserted in the corresponding JSON object.
Those modifications can include:
* Adding additional keys to a JSON dictionary.
* Changing values types.
* Adding elements in an array.
A malicious user-supplied value can perform other modifications depending on
where and how the constructed data is later used.
=== What is the potential impact?
The consequences of a JSON injection attack into an application vary greatly
depending on the application's logic. It can affect the application itself or
another element if the JSON string is used for cross-component data exchange.
For this reason, the actual impact can range from benign information disclosure
to critical remote code execution.
==== Information disclosure
An attacker can forge an attack payload that will modify the JSON string so that
it will become syntactically incorrect. In that case, when the data is later
used, the parsing component will raise a technical error. If displayed back to
the attacker or made available through log files, this technical error may
disclose sensitive business or technical information.
This scenario, while in general the less severe one, is the most frequently
encountered. It can combine with any other logic-dependant threat.
==== Privilege escalation
An application that would rely on JSON to store or propagate users'
authentication levels and roles would be under threat of privilege escalations.
Indeed, an attacker could tamper with the permissions storage object to insert
arbitrary roles or privileges.
While highly specific, similar issues can be faced in the following situations:
* An application builds JSON payloads for HTTP requests.
* An application builds JWT from user input.
==== Code execution
An application might build objects based on a JSON serialization string. In that
case, an attacker that would exploit a JSON injection could be able to alter the
serialization string to modify the corresponding object's properties.
Depending on the deserialization process, this might allow instantiating
arbitrary objects or objects with sensitive properties altered. This can lead to
arbitrary code being executed in the same way as a deserialization injection
vulnerability.
// How to fix it section
include::how-to-fix-it/java-se.adoc[]
include::how-to-fix-it/gson.adoc[]
include::how-to-fix-it/fasterxml.adoc[]
include::how-to-fix-it/spring.adoc[]
== Resources
include::../common/resources/docs.adoc[]
include::../common/resources/standards.adoc[]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
Change this code to not construct JSON documents directly from user-controlled data.
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink