Securing JSON APIs

JSON APIs can expose you to a variety of Information Security problems. Most of them arise from handling request bodies in the form of JSON documents.

Depending on the functions your API allows access to, a badly secured JSON API can expose you to spoofing, tampering, repudiation, information disclosure and denial of service. While some of these threats require in-depth protections, others can already be eliminated by very broad restrictions.

JSON Protection

Already on an API-wide (or global) level, you can protect yourself against certain attacks.

JSON Objects where the same member occurs more than once are treated differently by different software systems, libraries and even specifications!
```
POST /basket HTTP/1.1
Authorization: Bearer ...token-for-customer-1...
Content-Type: application/json

{ "customerId": 1, "customerId": 2, "itemId": 1000, "amount": 1 }
```
might add item 1000 to the basket of customer 2, while passing security checks (including token verification) for customer 1.
Specially crafted JSON documents can cause CPU usage to be higher than expected.
```
{"AaAaAa":1,"AaAaBB":1,"AaBBAa":1,"AaBBBB":1,"BBAaAa":1,"BBAaBB":1,"BBBBAa":1,"BBBBBB":1}
```
is only a small example of the kinds of JSON documents that might lead to problems:

All keys in the document ("AaAaAa", "AaAaBB", ...) have the same Java hash code.

If your server implementation converts the JSON document into a Java HashMap, the internal datastructure of the HashMap will put all of them into the same bucket.

This means that the runtime of hashMap.get(key) increases from O(1) to O(N), leading to the CPU usage being higher than expected.

In special scenarios (e.g. loops) this can be even worse.

Membrane API Gateway's JSON Protection feature protects you against both.

Usage

<spring:beans xmlns="http://membrane-soa.org/proxies/1/"
                xmlns:spring="http://www.springframework.org/schema/beans"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                http://membrane-soa.org/proxies/1/ http://membrane-soa.org/schemas/proxies-1.xsd">
  <router>

      <serviceProxy port="2000">
          <jsonProtection />
          <target host="api.predic8.de" port="80"/>
      </serviceProxy>

  </router>

</spring:beans>

More fine-grained configuration options are also available.

Other Protections

Attacks using Injection or Cross Site Scripting usually rely on using special characters like single quotes (') or left angle brackets (<).

Using JSON Schema Validation to validate Requests received by the Gateway, usage of these types of characters can be prohibited. Nowadays, JSON Schema Validation is usually done in conjuction with OpenAPI.

Rate Limiting might also help reduce the exploitability of existing weaknesses so far, that they become irrelevant (e.g. guessing the correct password).