z/OS Connect Enterprise Edition

 View Only

z/OS Connect - JSON Parser supports Duplicate Keys

  • 1.  z/OS Connect - JSON Parser supports Duplicate Keys

    Posted Fri February 16, 2024 10:15 AM

    Hi,

    I'd would check if someone has this type of issue regarding z/OS Connect and JSON - Duplicate Keys 

    As a result of a recent Pen Test / Security Review of z/OS Connect it was identified that the z/OS Connect Server allowed duplicate keys to be specified in the JSON passed into z/OS Connect and was using last key precedence.

    The details of the issue and the examples the testers tried are as follows:

    The web service accepted JSON objects with duplicate keys in its structure.

    In this scenario the parser used last-key precedence in processing the request. While this does not present any immediate threats and therefore is raised as informational within the context of this assessment, it does give way to scenarios where other systems interacting with this web service could use a first-key precedence.

    If both these services relied on shared logic but use different key-precedence's, an attacker could bypass the logic by entering duplicate keys with different values.

    A simple example of this is seen with the binIssuer endpoint. Below is a sample payload sent to the endpoint.

    Note the Input and PAN keys had been duplicated various times. 

    The application only checked the value of the last PAN key provided - "pan":"465902abcdefghijklmnopq". Note this was still a valid input as the application only checked the first 6 characters.
     
    {
    "cams-visaTokenisation-binIssuer-service-V01Operation": {
    "StatelessProfile": {
    "profileAttributes": {
    "channelId": "000058",
    "auditId": "string",
    "process": "VISA-TOKEN",
    "apiVersion": "string",
    "correlationId": "string"
    }
    },
    "Input": {
    "inputAttributes": {
    "pan": "00ASFF0000"
    }
    },
    "Input": {
    "inputAttributes": {
    "pan": "ASDFGH"
    }
    },
    "Input": {
    "inputAttributes": {
    "pan": "1234e9000000",
    "pan": "000000\ud888",
    "pan":"465902abcdefghijklmnopq"
    }
    }
    }
    }
     
    Please confirm if this is a possible security exposure in the JSON parser used by z/OS Connect as suggested by the Pen Testers and will this be corrected to remove the duplicate keys from being allowed ?
    Thank you 


    ------------------------------
    Angela Ghidoni
    ------------------------------