Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Differences between parsers have been causing security issues since the dawn of the computer such as HTTP smuggling. This article is about how two different JSON parses can be different to cause security issues.

The first issue discussed is inconsistent duplicate key precedence. The specification says that any preference in keys can be used, which seems crazy. The example shows a verifier and a user which differ in the precedence.

The second issue is the difference with truncation's and comments. Using the differences with nullbytes, unicode encodes, invalid strings and other things differs between implementations. Using this, two libraries may show different results.

The third issue is differences in serialization. Different operators in different implementations will use different values. For instance, using obj["test"] may use the first key but the obj.toString() may use the second.

The fourth issue a difference in numerical encoding can be used. Decoding a large number, or floating point numbers, may decode to 0 in some libraries or to the largest possible number in others. The example is a library for a shop validating with the large number but only charging with the decoded 0.

At the end of the article is a list of 49 different JSON parser libraries from a variety of languages. This could be a valuable resource for referencing in the future!