Â鶹´«Ã½

Cross-language JSON parser interoperability

Author: Oula Kivalo
Supervisor: Philip Ginzboorg

Abstract: JavaScript Object Notation (JSON) has become the de facto standard for data interchange in modern web architectures and is increasingly prevalent in other domains such as embedded systems, configuration files, and database storage. Despite its ubiquity, the JSON specification contains ambiguities regarding duplicate key handling, numeric representation, and string comparison. These ambiguities create discrepancies between JSON parser implementations that can be exploited by attackers in large software ecosystems containing multiple JSON parsers.

We have created DUPLIDOS -- a custom differential fuzzing framework designed to identify semantic discrepancies between pairs of JSON parsers and detect potential Denial of Service attack vectors. In addition, we have audited open-source software to characterize the resulting security threats via proof-of-concepts.

Using DUPLIDOS, we have investigated the interoperability of 41 JSON parsers across ten programming languages and two open-source database engines. Our analysis revealed that 55.7 % of the tested parser pairs exhibit conflicting behavior regarding object key collisions. Additionally, there are inconsistencies between parsers in the handling of large numeric values and character encodings.

As a result of this study, we have discovered and reported six previously unknown security threats in open-source software caused by vulnerabilities in JSON parsers and discrepancies between them.