Json Parser Errors shown on screen.

[sveeke]

A Json Parser error message is shown in the case there is an issue with the Json output.

[sveeke]

threatLevel="Low" type="Insufficiently Hardened Server"

A Json Parser error message is shown in the case there is an issue with the Json output.

Example:

PUT /v1/earner/collections/xP6vOSUFR76VgjzBGpesUA?json_format=plain HTTP/1.1
Host: badgr-dev2.edubadges.nl
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Token 5a29a471f3b21be11928361f5c42aeabf0c5cd8f
Content-Type: application/json
Referer: https://surf-dev2.edubadges.nl/recipient/badge-collections/collection/xP6vOSUFR76VgjzBGpesUA
Content-Length: 165
Origin: https://surf-dev2.edubadges.nl
Connection: close
Cookie: sessionid=lq3ojl1mw3pt1ls5zox0kyvqy9u8kgpy

{"name":"Blaat","slug":"xP6vOSUFR76VgjzBGpesUA","description":"test","share_hash":"","share_url":"","badges":[],"published":false}'(select*from(select(sleep(20)))a)'

HTTP/1.1 400 Bad Request
Server: nginx/1.12.2
Date: Thu, 07 Jun 2018 03:22:50 GMT
Content-Type: application/json
Connection: close
Vary: Accept, Authorization, Cookie
X-Frame-Options: ALLOW-FROM HTTP://CANVAS.EDUBADGES.NL/, HTTPS://CANVAS.EDUBADGES.NL
Access-Control-Allow-Origin: *
Allow: GET, PUT, DELETE, HEAD, OPTIONS
Content-Length: 98

{"detail":"JSON parse error - Extra data: line 1 column 131 - line 1 column 166 (char 130 - 165)"}

Impact:
This could assist an attacker to know more about how the application works.

Recommendation:
Implement proper JSON error handling and hide the output of JSON parse errors.