The term JSON injection may be used to describe two primary types of security issues:
- Server-side JSON injection happens when data from an untrusted source is not sanitized by the server and written directly to a JSON stream.
- Client-side JSON injection happens when data from an untrusted JSON source is not sanitized and parsed directly using the JavaScript
evalfunction.
What Is JSON
JSON (JavaScript Object Notation) is a lightweight data interchange format used to communicate between applications. It is similar to XML but simpler and better suited to be processed by JavaScript.
Many web applications use this format to communicate between themselves and serialize/deserialize data. Some web applications also use JSON to store important information, for example, user data. JSON is commonly used in RESTful APIs and AJAX applications.
Examples of JSON Injection Attacks
A simple server-side JSON injection could be performed in PHP as follows:
- The server stores user data as a JSON string including the account type
- User and password are taken directly from user input without sanitization
- The JSON string is formed using simple concatenation:
$json_string = '{"account":"user","user":"'.$_GET['user'].'","pass":"'.$_GET['pass'].'"}'; - A malicious user appends data to their user name:
john%22,%22account%22:%22administrator%22 - The resultant JSON string is:
{ "account":"user", "user":"john", "account":"administrator", "pass":"password"} - When reading the stored string, the JSON parser (
json_decode) encounters twoaccountentries and takes the last one, granting john administrator privileges. Note that the behavior ofjson_decodeis not incorrect – RFC-7159 states that “the names within an object SHOULD be unique” (not MUST), leaving the door open to interpretation.
A simple client-side JSON injection could be performed as follows:
- The JSON string is the same as in the above example
- The server gets the JSON string from an untrusted source
- The client parses the JSON string using
eval:var result = eval("(" + json_string + ")");document.getElementById("#account").innerText = result.account;document.getElementById("#user").innerText = result.name; document.getElementById("#pass").innerText = result.pass; - The
accountvalue is:user"});alert(document.cookie);({"account":"user - The eval function executes the
alert. - Parsing results in a Cross-site Scripting (XSS) attack (
document.cookieis disclosed).
JSON Injection vs. JSON Hijacking
While JSON hijacking (a subset of Cross-site Script Inclusion – XSSI) also relates to the JSON notation, it is a slightly different attack, in some ways similar to Cross-site Request Forgery (CSRF). In the case of JSON hijacking, the attacker aims to intercept JSON data sent to the web application from the web server.
- The attacker creates a malicious website and embeds a
scripttag in its code that attempts to access JSON data from the attacked web application. - The user, who is logged into the attacked web application, is lured to visit the malicious website (usually using social engineering).
- Since the Same-Origin Policy (SOP) allows JavaScript from any website to be included and executed in the context of any other website, the user accesses the JSON data.
- The malicious website hijacks the JSON data.
JSON Injection Prevention
As with most injection vulnerabilities, the key to maintaining web application security and preventing JSON injections is to sanitize data. This applies to both server-side and client-side JSON injections.
To prevent server-side JSON injections, sanitize all data before serializing it to JSON. For example, if you use Java, a good option to sanitize JSON data is to use the OWASP JSON Sanitizer.
The best method to prevent client-side JSON injections is never to use the eval function to evaluate JSON data. If you use the eval function and the untrusted data contains JavaScript code, that code will be executed. To avoid this, use JSON.parse. You can also enforce Content Security Policy, which by default prevents the use of eval.
Frequently asked questions
The term JSON injection may be used to describe two primary types of security issues. Server-side JSON injection happens when data from an untrusted source is not sanitized by the server and written directly to a JSON stream. Client-side JSON injection happens when data from an untrusted JSON source is not sanitized and parsed directly using the JavaScript eval function.
Read more about other types of injection attacks.
JSON hijacking is an attack in some ways similar to cross-site request forgery (CSRF). In the case of JSON hijacking, the attacker aims to intercept JSON data sent to the web application from the web server.
Read about cross-site request forgery (CSRF) attacks.
JSON injections are not very common and not as dangerous as many other vulnerabilities but they can lead to other dangerous attacks, such as cross-site scripting (XSS).
Read more about cross-site scripting (XSS).
To prevent server-side JSON injections, sanitize all data before serializing it to JSON. The best method to prevent client-side JSON injections is never to use the eval function to evaluate JSON data. If you use the eval function and the untrusted data contains JavaScript code, that code will be executed. To avoid this, use JSON.parse. You can also enforce Content Security Policy, which by default prevents the use of eval.
Read more about general best practices for secure coding.
Get the latest content on web security
in your inbox each week.
THE AUTHOR
Tomasz Andrzej Nidecki
Principal Cybersecurity Writer
LinkedIn
Tomasz Andrzej Nidecki (also known as tonid) is a Primary Cybersecurity Writer at Invicti, focusing on Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.
