code

JSON Injection

Written by Sagiv Michael on

JSON Injection

Written by Sagiv Michael on


Introduction

In today’s digital world, JSON (JavaScript Object Notation) has emerged as the go-to format for data interchange due to its simplicity, readability, and compatibility with numerous programming languages. This article explores the concept of JSON Injection, its potential impact on application security, and effective mitigation strategies to safeguard your systems.

Understanding JSON

JSON is a lightweight data interchange format used for communication between applications. Extending its data format from JavaScript and preceding the use of XML tags achieves a more compact, human-readable, and faster representation than XML.

Many web applications use this format to communicate and serialize/deserialize data. Some web applications also use JSON to store important information, such as user data. JSON is commonly used in RESTful APIs and AJAX applications.

Explanation of The Attack

JSON injection attack allows an attacker to inject malicious data into JSON streams or use malicious JSON streams to modify application behavior. There are two types of JSON Injection attacks:

  • Server-side JSON injection occurs when data from an untrusted source is not sanitized by the server and is written directly to a JSON stream.
  • Client-side JSON injection occurs when data from an untrusted JSON source is not sanitized and is parsed directly using the JavaScript eval function.

Server-Side JSON Injection Attack Demonstration

An instance of a simple server-side JSON injection attack could be performed in a PHP web application, for example, through the following steps:

  1. The server stores user data as a JSON string, including the account type.
  2. User name and password values are taken directly from input parameters without validation or sanitization.
  3. The JSON string is built using simple concatenation:

$json_string = ‘{“accountType”:”user”,”userName”:”‘.$_GET[‘userName’].'”,”pass”:”‘.$_GET[‘pass’].'”}’;

  1. An attacker sends a request, and appends data to their user name entered into an input form. This data is sent to the back-end unsanitized:
  2. john”,”accountType”:”administrator”
  3. When reading the stored string, the JSON parser (json_decode) encounters two accountType entries and accepts the last one, granting John administrator privileges without authentication.

{ “accountType”:”user”, “userName”:”john”, “accountType”:”administrator”, “pass”:”password” }

Client-Side JSON Injection Attack Demonstration

In the following example, we will demonstrate a simple client-side JSON injection attack execution:

  1. The initial JSON string is the same as in the previous example.

$json_string = ‘{“accountType”:”user”,”userName”:”‘.$_GET[‘userName’].'”,”pass”:”‘.$_GET[‘pass’].'”}’;

  1. The server receives the JSON data, user”});alert(document.cookie);({“accountType”:”user and does not sanitize it.
  2. The client parses the JSON string using the eval function in JavaScript:
var result = eval(“(” + json_string + “)”);
document.getElementById(“#accountType”).innerText = result.account;
document.getElementById(“#userName”).innerText = result.name;
document.getElementById(“#pass”).innerText = result.pass

  1. The eval function executes the alert function.
  2. Parsing the malicious string results in a session cookie stealing.

Mitigation

If you have encountered any of the above scenarios, please follow to instructions below provided by Clear Gate for immediate mitigation and to prevent JSON Injection attacks further:

  • Sanitize all data before converting it to JSON format. An example of an effective method for sanitizing JSON data in a Java-based backend is to use the OWASP JSON Sanitizer, which is found on GitHub. However, an even more robust approach is to avoid manually writing JSON data and instead rely on framework functions that include built-in sanitization mechanisms.
  • Avoid using the eval function to evaluate JSON data. The eval function can execute any JavaScript code contained within untrusted data. Instead, it’s advisable to use the JSON.parse function to parse JSON data, eliminating the risk of executing arbitrary code.

Conclusion

JSON Injection poses a significant threat to application security, potentially leading to data breaches, unauthorized access, or compromised functionality. Organizations must prioritize implementing robust mitigation strategies to safeguard their applications. 

Organizations can proactively protect their applications and sensitive data by leveraging Clear Gate’s expertise in JSON Injection vulnerability identification and mitigation. Clear Gate’s comprehensive cybersecurity services, including code review, penetration testing, and security audits, offer a reliable defense against JSON Injection and other critical vulnerabilities.

References