I have a RESTful API, built in NODE.js that does what you would expect it to: consumes data and then makes it accessible. Currently, data being submitted to my server is nested form data:
data[0][username]=...
data[0][email]=...
data[0][phone]=...
...
data[12][username]=...
data[12][email]=...
data[12][phone]=...
or as a query string
data[0][username]=...&data[0][email]=...&data[0][phone]=...
SO when I parse it on the server, I get a JS array of objects with those particular fields. What I am wondering is, is it safe for me accept a string that I can JSON.parse and the process it?
data=(some stringified json object)
I am unsure if it's possible for malicious code or anything to be included in the JSON object that would blow up my server once run through a parser
Thanks.
Best Answer
JSON representation can be dense, certainly denser than a flat list of properties, so memory exhaustion and denial of service may be slightly easier.
Other than that, assuming your JSON parser is bulletproof, you're left with basically the same attacks that can be directed at a form-data or query-string based entry point, primarily various kinds of string injection attacks: SQL injection, client JavaScript injection, and so forth.