We’ve talked about JSON file here, where we discussed what JSON file is and how it works. JSON file is simply a string that is used to store and transmit data between a server and a client. JSON is widely used in web application, which is why it’s a target for malicious activities.
JSON injection is where attacker injects malicious data into JSON streams or uses malicious JSON streams to modify behaviors. JSON injection can happen on both the server side as well as the client side. Server side happens when data from untrusted source is not sanitized and is written on to the JSON stream while client side occurs when data from untrusted source is not sanitized and is parsed directly using javascript eval function. This can cause privilege escalation and may ultimately lead to full system compromise. The best way to prevent injection is to santize user inputs and avoid using the eval function.
A simple example of server side JSON injection is where attacker sends the application back-end an extra data. For example, using account type “regular user” as well as account type “privileged user” in a single string will trick the server to accept the last account type instead of the first, resulting in the user having higher privilege than what it is allowed to have without proper authentication.
First, we have regular JSON string seen below.
$json_string = ‘{“accountType”:”regular user”,”userName”:”‘.$_GET[‘userName’].’”,”pass”:”‘.$_GET[‘pass’].’”}’;
Then we have data that was appended by malicious attacker and sent to the back-end without santization.
bob%22,%22accountType%22:%22administrator%22
This is what gets stored by the back-end, which gives the attacker administrative privilage.
{ “accountType”:”regular user”, “userName”:”bob”, “accountType”:”privileged user”, “pass”:”password” }
Simple client side can be performed when the client gets JSON and parses the JSON strings using eval function. Eval function will execute functions that’s in the string without sanitization like the alert call seen below. This malicious string will result in cross site scripting attack.
user”});alert(document.cookie);({“accountType”:”user
There is multiple ways to sanitize data and for the client side, simply prevent use of eval to avoid attacks.
HansITAcademy 