How to scan JSON? (386 Views)
Reply
Advisor
k1DBLITZ
Posts: 27
Registered: ‎06-08-2012
Message 1 of 2 (386 Views)
Accepted Solution

How to scan JSON?

What is the proper method for scanning JSON with webinspect 9.20?

 

If the application requires authentication, how does one account for that when scanning JSON? For a web application one would record a login macro.. but JSON is just a request. 

 

Advisor
gromonster
Posts: 13
Registered: ‎02-19-2008
Message 2 of 2 (370 Views)

Re: How to scan JSON?

BLITZ,

 

I ran your inquiry past the WebInspect (WI) development team to see if any special configuration is required for scanning apps with WI 9.2 and I received the following response.  It seems that WI has had the ability to handle JSON for the last few versions, but v9.2 added the ability to attack requests where the body is JSON or XML, where before JSON or XML was 'only' attacked if the JSON or XML was contained in the value of a POST or Query parameter.  See the dev response below:

 

JSON is just syntax for encoding data in requests. It requires no special configuration, and has actually been present (along with XML encoded parameters) in the product since 7.0.

 

If we can crawl an application http requests with JSON (or XML) data is emitted during the crawl, then we will attack the values contained in the JSON (or XML) data.

 

What changed in 9.2 is that the product can attack requests whose body is JSON or XML. Prior to this release JSON and XML data was only attacked if the JSON or XML was contained in the value of a Post or Query parameter.

 

Prior to 9.2, this POST body would not be attacked:

 

POST /login.jsp HTTP/1.1

Host: www.mysite.com

User-Agent: Mozilla/4.0

Content-Length: 27

Content-Type: application/x-www-form-urlencoded

<xml><p1>v1</p1></xml>

 

but this would:

 

POST /login.jsp HTTP/1.1

Host: www.mysite.com

User-Agent: Mozilla/4.0

Content-Length: 27

Content-Type: application/x-www-form-urlencoded

userid==<xml><p1>v1</p1></xml>

 

 

I hope this is helpful!

 

Rob G

HP Fortify Software Professional Services
Application Security Center
WebInspect / AMP / QAInspect

“The views expressed in my contributions are my own and do not necessarily reflect the views and strategy of HP".
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.