What is JSON Hijacking Vulnerability?

Leave a Comment / Security News / By

What Is JSON?

JSON (JavaScript Object Notation) is a lightweight data exchange format used by programs to interact with one another. It is comparable to XML but simpler and more suited to JavaScript processing.

Many online apps utilize this format to connect with one another and to serialize and deserialize data. JSON is also used by certain online applications to store vital information, such as user data. JSON is a popular data type in RESTful APIs and AJAX applications.

JSON injection is a word that may be used to denote two sorts of security issues:

  • When data from an untrusted source is not sanitized by the server and is put straight to a JSON stream, server-side JSON injection occurs.
  • Client-side JSON injection occurs when data from an untrusted JSON source is processed directly using the JavaScript eval function without being sanitized.

JSON Injection Attack Example

A simple server-side JSON injection could be performed in PHP as follows:

  1. The server saves user information as a JSON string that includes the account type
  2. User and password are obtained straight from user input and are not sanitized.
  3. Simple concatenation is used to create the JSON string: $json_string = '{"account":"user","user":"'.$_GET['username'].'","pass":"'.$_GET['password'].'"}';
  4. A malicious user adds information to their user name: john%22,%22account%22:%22administrator%22
  5. The resultant JSON string is:{   "account":"user",   "username":"john",   "account":"administrator",   "password":"password" }
  6. When reading the stored string, the JSON parser (json_decode) encounters two account entries and takes the last one, granting john administrator privileges. Note that the behavior of json_decode is not incorrect – RFC-7159 states that “the names within an object SHOULD be unique” (not MUST), leaving the door open to interpretation.

The following is an example of a basic client-side JSON injection:

  1. The JSON string is the same as in the above example
  2. The server gets the JSON string from an untrusted source
  3. The client parses the JSON string using eval:var result = eval("(" + json_string + ")"); document.getElementById("#account").innerText = result.account; document.getElementById("#user").innerText = result.name; document.getElementById("#pass").innerText = result.pass;
  4. The account value is: user"});alert(document.cookie);({"account":"user
  5. The eval function executes the alert.
  6. Parsing results in a Cross-site Scripting (XSS) attack (document.cookie is disclosed).

Preventing JSON Injection

The key to maintaining online application security and preventing JSON injections, like with most injection issues, is to sanitize data. This is true for both server and client-side JSON injections.

Sanitize all data before serializing it to JSON to avoid server-side JSON injections. For example, if you use Java, the OWASP JSON Sanitizer is a suitable alternative for sanitizing JSON data.

The easiest way to avoid client-side JSON injections is to never evaluate JSON data with the eval function. If you use the eval function on untrusted data that contains JavaScript code, that code will be executed. Use JSON.parse to prevent this. You may also implement a Content Security Policy, which bans the usage of eval by default.

ZOFixer.com security scan helps to find this vulnerability in your software and server, you can easily use it by registering on our website and activating the 30-day trial.

Related Posts

Leave a Comment

Scroll to Top