Fuzzing JSON

Websecurify Suite comes with many powerful tools, which are particularly helpful when automating complex, repetitive jobs related to identifying web security vulnerabilities and other bugs. One of these tools is JSONFuzz. JSONFuzz was designed to accommodate any task related to fuzz-testing JSON-based web services.

Some Words on JSON Fuzzing

JSON (JavaScript Object Notation) is a text-based format designed for human-readable data interchange. JSON resembles the structure of JavaScript objects with a few added rules/constrains to make it more generic and easy to interpret by other programming languages. Here it follows an example of a simple JSON structure:

{"name":"Fred","email":"fred@websecurify.com","age":41,"married":false}

JSON is often used to create web services. A simple call to a JSON-enabled web service looks more or less like the code snippet bellow:

POST /update/user/1 HTTP/1.1
Host: example
Content-Length: 71
Content-Type: application/json

{"name":"Fred","email":"fred@websecurify.com","age":41,"married":false}

A typical JSON-based web service can interpret many types of JSON messages all with different level of complexity. Because the developer may not anticipate certain types of input, a security vulnerability may arise.

The purpose of fuzz-testing is to identify these security vulnerabilities and other non-security related bugs. A JSON-centric web fuzzing technology is capable of performing fuzz tests on JSON-enabled web services by providing a series of unexpected inputs and observing abnormal behavior. JSONFuzz does exactly this.

Step 1

We will start by investigating a simple web-store JSON service written in PHP. The service behaves as illustrated on the screenshot (we use the Resend tool, part of the online Suite):

Screenshot 02

This JSON service receives a JSON object as an input which contains two fields: price and item. The price field is the price for the item identified by a number (in our case this is item 451).

Step 2

In order to start a test we simply need to send this request from the Resend tool into JSONFuzz. You can either copy and paste it directly or use escapemode by pressing the ESC key.

Screenshot 03

With the request now loaded into the request editor we only need to press the start button. The test is now in progress and you should start receiving all kinds of visual indicators of the current state.

Step 3

Screenshot 04

Notice that the tool automatically identified some issues which you can preview in the report view. This can already tell you that there are some problems with this service worth investigating.

Step 4

Although JSONFuzz provides a powerful analytical engine and can automatically identify issues, advanced users may want to explore the results from the fuzz manually by browsing through the transactions window as illustrated on the screenshot bellow.

Screenshot 06

The first thing you will notice is that each fuzz starts with a base request. It is highlighted from the rest of the requests in order to be easily identified. The base request is the first valid request, which we will use as a baseline for all other requests or as a start for more fuzzing.

Screenshot 07

If we start scrolling down through the result-set we will quickly get an idea what the tool did. We will also see some of the problems with this JSON service. For example, it turns out that if the value of price is set to boolean false, the total value will be calculated as 0.

Screenshot 08

On the other hand, if we provide an empty array or object (i.e [] or {}) we get two different kinds of errors. Let's look into both of them.

Screenshot 09

The screenshot shows what happens when submitting am empty array. The JSON service simply explodes and prints errors on the screen. From the error we can tell that the service tried to perform some kind of arithmetical computation using the provided value.

Step 5

Now let's analyze the test case where an empty array is submitted.

Screenshot 10

This one is perhaps a lot more interesting. From the screenshot above we can tell that the request succeeded although with a few warnings. It turns out that if we send an empty array for the price the total will be calculated as 1.2. Taking into consideration information gathered so far we can build a partial picture of how these values are calculated and such identify other bugs (perhaps other logic flaws bug) or fix the issues present in this particular JSON service.

Going Further

JSONFuzz is really that easy to use and all features are available at your fingertips. While the example service we tested is relatively simple, JSONFuzz can perform tests on very complex JSON services with complex hierarchical data structures. The testing process is exactly the same as the one presented here.