[toc]

Query statement

0x01 前言

json 解析是当前web开发中必不可少的组件,而在现代多语言微服务架构中,json解析可能依赖于多个不同的标准库实现,而不同的组件通常存在一些差异,parser之间的差异与多阶段请求处理相结合可能会引入严重的漏洞。

0x02 不同的规范

  • IETF JSON RFC (8259 and prior): This is the official Internet Engineering Task Force (IETF) specification.
  • ECMAScript Standard: Changes to JSON are released in lockstep with RFC releases, and the standard refers to the RFC for guidance on JSON. However, non-spec conveniences provided by the JavaScript interpreter, such as quoteless strings and comments, have inspired many parsers.
  • JSON5: This superset specification augments the official specification by explicitly adding convenience features (e.g., comments, alternative quotes, quoteless strings, trailing commas).
  • HJSON: HJSON is similar to JSON5 in spirit with different design choices.
  • And more…

0x03 解析差异的类别

  1. 对重复键值的处理不一致
  2. 字符截断或注释
  3. json序列化trick
  4. 浮点型和整型表示
  5. 宽松解析和其他错误

1. 重复键的优先级

2. 字符截断或注释

Reference

An Exploration & Remediation of JSON Interoperability… | Bishop Fox