JSON-RPC Security Checker
Identify security vulnerabilities and best practice violations in your JSON-RPC implementation.
No security check results available. Run a security check to see results.
JSON-RPC Security Checker Guide
Learn how to use this tool to identify security vulnerabilities in your JSON-RPC server code.
- 1. Paste Your Code
- Enter your JSON-RPC server implementation code into the text area, or use one of the provided examples.
- 2. Select Check Options
- Choose which security aspects to check: injection vulnerabilities, authentication issues, and/or JSON-RPC best practices.
- 3. Run the Check
- Click the "Check Security" button to analyze your code for potential security issues.
- 4. Review Results
- Examine the detailed report to understand potential vulnerabilities, their severity, and how to fix them.
Security Checks Information
Injection Vulnerabilities
Injection vulnerabilities occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
| Check | Description | Remediation |
|---|---|---|
| Code Injection | Using eval() or Function() with user input can allow attackers to execute arbitrary code. | Avoid using eval() with user input. Use safer alternatives like JSON.parse() for JSON data. |
| NoSQL Injection | Using operators like $where in MongoDB queries with user input can lead to NoSQL injection attacks. | Avoid using $where operator with user input. Use specific query operators and validate input. |
| Command Injection | Executing shell commands with user input can lead to command injection vulnerabilities. | Never use user input in shell commands. If necessary, use strict input validation and command arguments instead of string concatenation. |
| Parameter Validation | Using RPC parameters without validation can lead to various injection attacks. | Add input validation for all user-provided parameters before using them. |
Authentication and Access Control
Authentication vulnerabilities occur when the system fails to properly verify user identity or control access to resources. This can lead to unauthorized access to sensitive functions or data.
| Check | Description | Remediation |
|---|---|---|
| Missing Authentication | JSON-RPC methods should implement authentication to ensure only authorized users can access them. | Implement authentication for JSON-RPC methods to ensure only authorized users can access them. |
| Hardcoded Credentials | Hardcoded credentials in source code are a serious security risk, as they can be discovered through code access. | Remove hardcoded credentials and use environment variables or a secure credential store instead. |
| Token Validation | Authentication tokens must be properly validated before being trusted. | Ensure all tokens are properly validated before being trusted, including signature and expiration checks. |
JSON-RPC Best Practices
Following JSON-RPC best practices ensures proper implementation, error handling, and security of your API.
| Check | Description | Remediation |
|---|---|---|
| JSON-RPC Version | JSON-RPC 2.0 requires the "jsonrpc" field set to "2.0" in all messages. | Add "jsonrpc": "2.0" to all JSON-RPC 2.0 messages. |
| Error Handling | Proper error handling with try/catch blocks is important for JSON-RPC implementations. | Implement proper error handling with try/catch blocks and return appropriate JSON-RPC error objects. |
| Standard Error Codes | Standard JSON-RPC error codes should be used for common error scenarios. | Use standard JSON-RPC error codes (-32700 to -32603) for predefined error scenarios. |
| Logging | Proper logging is important for debugging and security auditing. | Implement appropriate logging for RPC calls, errors, and security events. |
| Concurrency Control | Database operations without proper concurrency controls can lead to race conditions. | Implement appropriate concurrency controls such as transactions or locks for database operations. |