Showing results for 
Search instead for 
Do you mean 

How to scan JSON?

SOLVED
Go to Solution
Highlighted
Frequent Advisor

How to scan JSON?

What is the proper method for scanning JSON with webinspect 9.20?

 

If the application requires authentication, how does one account for that when scanning JSON? For a web application one would record a login macro.. but JSON is just a request. 

 

1 REPLY
Advisor

Re: How to scan JSON?

BLITZ,

 

I ran your inquiry past the WebInspect (WI) development team to see if any special configuration is required for scanning apps with WI 9.2 and I received the following response.  It seems that WI has had the ability to handle JSON for the last few versions, but v9.2 added the ability to attack requests where the body is JSON or XML, where before JSON or XML was 'only' attacked if the JSON or XML was contained in the value of a POST or Query parameter.  See the dev response below:

 

JSON is just syntax for encoding data in requests. It requires no special configuration, and has actually been present (along with XML encoded parameters) in the product since 7.0.

 

If we can crawl an application http requests with JSON (or XML) data is emitted during the crawl, then we will attack the values contained in the JSON (or XML) data.

 

What changed in 9.2 is that the product can attack requests whose body is JSON or XML. Prior to this release JSON and XML data was only attacked if the JSON or XML was contained in the value of a Post or Query parameter.

 

Prior to 9.2, this POST body would not be attacked:

 

POST /login.jsp HTTP/1.1

Host: www.mysite.com

User-Agent: Mozilla/4.0

Content-Length: 27

Content-Type: application/x-www-form-urlencoded

<xml><p1>v1</p1></xml>

 

but this would:

 

POST /login.jsp HTTP/1.1

Host: www.mysite.com

User-Agent: Mozilla/4.0

Content-Length: 27

Content-Type: application/x-www-form-urlencoded

userid==<xml><p1>v1</p1></xml>

 

 

I hope this is helpful!

 

Rob G

HP Fortify Software Professional Services
Application Security Center
WebInspect / AMP / QAInspect

“The views expressed in my contributions are my own and do not necessarily reflect the views and strategy of HP".