Versions Compared

Old Version 13

changes.mady.by.user Former user

Saved on

compared with

New Version 14

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This function is designed to validate data according to by processing the received data according to the designated rules and conventions in UDP. Regarding the JSON file types and objects, they are to be checked according to the official JSON Schema Validation definitions, approved by the IETF Trust. Each JSON schema object is to be independently examined by the built-in engine for validity.

...

This section lists the validation requirements for the contents that comprise of string-encoded data. There are specific implementation rules that need to be followed to perform a successful validation. For security purposes, the entered implementations must not perform decode, parse and/or validate the string contents automatically. Each string-encoded document is to be evaluated according to the set standards on a conditional basis. All keywords in this section apply only to string data types and have no effect on other data types. Validation is performed for the following data contents:  

...

  • Regular Expressions – The JSON schema validation is performed on regular expressions. The security implications of this process are that some implementations may include embedding of arbitrary code outside of the JSON schema. This must not be permitted as it can lead to vulnerability exploitation. Attackers can make use of denial-of-service attacks with poorly crafted expressions.
  • Content Validation Risks – JSON validation of “contentEncoding” and/or “contentMediaType” are at risk as they can evaluate instance string data in an unsafe way based on misleading data. Potential security issues can be mitigated by performing such processes when e relationship between the schema and the instance is established.
  • Media Type Processing – The different media types that are being encoded or processed all have their own security considerations, subject to their own specifications. It is recommended that proper handling is performed.
  • Duplicate Names – JSON processing of duplicate names can result in inconsistent behaviour. In this regard improper processing can result in a covert channel. This can be used in penetration testing for a possible intrusion path.
  • JSON Name/Value Pairs Ordering It is possible to encode hidden meaning in the order of the name/value pairs in JSON objects. The reason for this is because there is no concrete definition of how this is done according to the official specifications. To minimize the possibility of security exploitation, standardization of the order should be considered. When this is done, hashing and the use of digital signatures can be considered.
  • JSON Numbering Considerations — JSON exploitation can be done when there is improper handling of the numbering conventions. By specification, there are no restrictions on the number of digits or the precision. Application behaviour behavior can be unpredictable when processing some types of numbers. There is a possibility that an application can crash and potentially lead to exploitation when large numbers of digits are handled improperly.
  • Undefined Unicode Characters Use —Unicode characters should be used throughout the JSON schema use. The use of defined Unicode characters in notation form can lead to unpredictable processing. In some cases, this can result in application crashes which can lead to vulnerability exploitation.

...