Parsing JSON is a Minefield

JSON is the de facto standard when it comes to (un)serialising and exchanging data in web and mobile applications. But how well do you really know JSON? I examined closely JSON specifications, wrote a corpus of test cases and tested various libraries against them. It turns out that JSON is not an easy and harmless format as many do believe. Indeed, I did not find two libraries that exhibit the very same behaviour. Moreover, I found that edge cases and maliciously crafted payloads can cause bugs, crashes and denial of services, including a stack overflow in SQLite. This is because JSON libraries rely on specifications that have evolved over time and that left many details loosely specified or not specified at all. This talk shows how to find bugs by reading RFCs and raises awareness about the risks of simple specifications.