Alternative approaches to Iframes for content distribution via json api

I am currently working on a project that uses iframes to distribute content to customers. Going ahead we would like to switch to a json based rest api to deliver the content. Api access would need a token to which specific content could be exposed and traffic limits set.

To replace the frontend appearance of the iframe I am thinking about writing a reusable bundle using a lightweight react alternative like preactjs. But this would mean exposing the raw api and the specific token to the end user. Simply routing user requests via the customers server would conceal the token but still allow raw api access to the enduser.

What would be a good architecture for such a use case?

Are there server side rendered solutions that can easily be implemented across a variety of backend frameworks, without rewriting everything for each customer that is?

Thanks for any advice

Deserialize only some fields from a JSON file

I’m trying to parse a very large JSON string in Unity. I do not need all the fields and I can’t create a class with all the members.

It appears that all examples I have found, including the official docs, always deserialize and map every field to class members, which I cannot do for my application.

I tried creating a class that is similar to the JSON string, meaning that it has some members of the target JSON, just not all of them. But it’s not working as desired: all members of my class are always undefined after deserializing.

Here’s part of the string:

{     "Robots":[{"CanReset":false,     "CycleTime":123.875,     "Info":null,     "LevelInfo":null,     "Name":"FTF_10033",     "State":0,"     ...     }, ... } 

So I tried creating these classes:

[Serializable] public class jsonData {     public Robot[] robots; }  [Serializable] public class Robot {     public string Name = "Unknown AGV"; } 

And printing the results:

var jsonString = www.downloadHandler.text; jsonData jsonData_ = JsonUtility.FromJson<jsonData>(jsonString); Debug.Log("Json data: " + jsonData_); Debug.Log("Robots: " + jsonData_.robots); 

jsonData_ prints Json data: jsonData_, and jsonData_.robots prints nothing (just Robots:).

Is there any way to parse just these particular fields out of the JSON string?

I would be content with something like jsonString["robots"][0]["name"] or something.

Potential vulnerability in JSON response returning base 64 encoded image data, with the response being vulnerable to MIME sniffing

A JSON response in the API of a webapp is returning the base64 of a user-uploaded image, and there’s no X-Content-Type-Options Header to prevent MIME sniffing.

Could this be a potential vulnerability such as an XSS for the webapp by using steganography to edit the image with a payload, uploading it, and then MIME sniffing the JSON response? (or by any other means?)

Searching for substring in field that contains variable length of arrays of json objects

I am trying to construct a sql query, that searches for a substring within a field. The issue is that the field contains an array of one or more json objects.

For example the table looks like so:

day     |   items ____________________ Sunday  | [{"apples":5, "bananas":2}, {"pears":12, "cucumbers":9}, ...] Monday  | [{"apples":6, "bananas":1}, {"watermelon": 1}] Tuesday | [{"apples":4, "bananas":3}, {"tomatoes": 1}] 

How do I construct a SQL query that searches for a substring in items given it is not a string ?

Thanks

Is it necessary to encrypt a JSON Web Token more than what is built-in?

As a developer I do have some understanding of OWASP, I am also a member of OWASP community, official due paying one. Anyway, what I may not understand is information security in that I am not a security engineer and so I pose the following question:

Is it necessary to encrypt and encode a JSON Web Token?

In my experience, no secure or confidential information should be in a JSON Web Token anyway, outside of the id and email of the user. I can imagine a customer such as a bank freaking out about that, but what can someone do with an email? The password is salted and hashed and also at least in the NodeJS world that is my wheelhouse, JSON Web Token is tamper resistant.

I can verify that a token was valid by using the signing signature and if it fails due to tampering then the services will no longer trust it, that simple no? Why would it be necessary to encrypt it, Encode it And whatever else an overzealous engineer can think of? What problem is it solving or what use case is it handling that is not already built-in? Is it because in other programming languages there are no libraries built-in that can run a jwt.verify() on the JWT?

Could the case described in this post be what the institution is trying to solve?

JWT(Json Web Token) Tampering

I understand that for a customer for whom this is a big deal, encrypting the cookie contents is an option, but would that be overkill?

Can input value escape a JSON object?

I am passing value from input filled directly into a script function inside a JSON object. I was thinking, is it possible that this input can escape this object and can lead to XSS or something.

<script> ... function doSomething(item) { data = {'content':item} } ... </script>  <input id="search" type="text" value="" oninput="doSomething(this.value)"/> 

Is it possible to send a POST CORS request with json data?

Is it possible to send a custom POST CORS request with json data?

I found that the website example.com is vulnerable to CORS and it’s accepting my origin header:

https://mywebsite.com

, however the request is a POST one and if i try without any post data i get: {"errorCode":"invalid","message":"Invalid json body","statusCode":400}

I was wondering if it’s possible to send cors requests containing json data. If it’s possible how should i edit my proof of concept code?

At the moment i’m using the following:

<script> var createCORSRequest = function(method, url) {   var xhr = new XMLHttpRequest();   if ("withCredentials" in xhr) {     // Most browsers.     xhr.open(method, url, true);   } else if (typeof XDomainRequest != "undefined") {     // IE8 & IE9     xhr = new XDomainRequest();     xhr.open(method, url);   } else {     // CORS not supported.     xhr = null;   }   return xhr; };  var url = 'https://example.com/api/v1/post'; var method = 'POST'; var xhr = createCORSRequest(method, url);  xhr.onload = function() {   // Success code goes here. };  xhr.onerror = function() {   // Error code goes here. };  xhr.withCredentials = true; xhr.send(); </script> 

But i’ll need to add {"id":"test","name":"test"} as POST json data to my PoC to make it work. How could i do that?

Null byte injection using JSON

I’m trying to make a chatroom for my university, It takes username in JSON, and then stores it in an array, then takes it to DB for keeping logs, but the thing is, that array also has a "status" key, whose value is set to guest my default, but is set to ADMIN if I log in or any member from my team logs in. I know that the idea of storing "status" with username is bad but I just started working on the project. I want to confirm that is it possible to inject NULL byte using username field via JSON and add another key with same name "status" to gain admin privileges??

benefits of storing columns in JSON instead of traditional tables?

Are there any benefits in using JSON over traditional table structures?

Imagine having a table structure like this:

 create table table1 (         t_id int,         first_name varchar(20),         last_name varchar(20),         age int     ) 

What if you stored the same columns inside a json like this:

{     "first_name":"name",     "last_name":"name",     "age":2 } 

and have a table like this:

create table table2 (     t_id int,     attribute jsonb ) 

Correct me if im wrong, but since both variants are causing a row to be completely rewritten if there have been any updates or deletes on that row, then both variants are identical in that regard.

How do i produce keypairs for my users while implementing json web token

I want to check the integrity of my user information; that the information which my website server receives was indeed sent by them. From what I understand, json web tokens (jwt) is the way to go.

I want to use asymmetric keys for the signing. I know that key pairs can be generated using these commands:

openssl genrsa -out private.pem 2048 openssl rsa -in private.pem -outform PEM -pubout -out public.pem 

But how do I produce key pairs from javascript code for my users when they sign in. And how do I store the private key at the user end and the public key at the server end ?