While JSON and XML are both text-based data formats, they can both store binary file data objects (such as images, audio files, etc.) when those objects are encoded with ASCII characters. ASCII is a common text-based character set accepted by most computer systems around the world.
Converting binary data to ASCII can be accomplished through Base64 encoding, and after that encoding takes place, the resulting ASCII character representation can be stored in a JSON property or an XML element. This means Base64-encoded binary file data can travel within JSON and XML objects through an HTTP request, and servers processing JSON or XML objects can eventually decode that content.
It’s important to note that binary file data can also be encoded separately from JSON or XML data objects in a multipart/form-data HTTP request. This encoding process is commonly used for file attachment uploads through web application portals. Binary data is considerably smaller than its Base64 encoded counterpart, so multipart/form-data requests tend to be more efficient when larger files (e.g., multi-page PDF documents) are involved.
From a cybersecurity threat modeling viewpoint, the inclusion of encoded binary data within JSON and XML objects represents a significant threat to our applications.
Files containing malicious payloads (i.e., malware or malicious scripts) can be disguised as apparently innocent binary data objects and stored within JSON or XML data, ready to execute after data deserialization and Base64 decoding take place. Excessively large files (without malicious code) can be disguised in much the same way and used to crash targeted systems, resulting in Denial of Service (DoS) attacks. A wide range of additional techniques can be used to exploit vulnerable server-side data processing workflows that improperly validate or sanitize their inputs.
Cloudmersive Protection for HTTP Requests
Cloudmersive Shield (Virus Scanning Reverse-Proxy Server) and Cloudmersive Virus Scanning ICAP servers can be deployed to protect applications against malicious HTTP requests containing insecure binary file data and other threats. Both solutions require zero code changes, and both make requests to the Cloudmersive Virus Scan API for malware scanning and in-depth content verification with custom threat rules.
Cloudmersive Shield can be deployed in front of any web application(s) to automatically detect and block malicious file uploads at the network edge, while the Cloudmersive Virus Scanning ICAP Server can be deployed between the WAF (or Load Balancer) and the web applications it protects.
Both solutions will scan binary data in JSON and XML requests as well as HTTP file uploads (i.e., multipart/form-data).
For more information on Cloudmersive Shield and Virus Scanning ICAP Servers, please feel free to reach out to a member of our sales team.