Let's walk through a vulnerable example.
Here we have a web application that displays the user profile of an airline passenger when viewing their profile photo. The profile lists the travel tier of the selected user, but data user input is poorly sanitized.
Upon visiting the profile data:
https://airlinecarrier.com/api/users/update/profiledata.json we receive the following response:
var data = eval("(" + resp + ")");
document.getElementById("#Benefits").innerText = data.Benefits;
document.getElementById("#Level").innerText = data.Level;
Data is read (parsed) and inserted using the Json
eval () function.
Using this flaw, the attacker can create a Client Side Injection attack by injecting the following code:
When this argument is executed by the
eval() function, the new output is as follows:
The user now has elevated their tier level for this airline.
An attacker may be able to use this flaw in order to process unintended actions on behalf of another user. Vulnerabilities like this can also lead to other dangerous attacks, such as Cross Site Scripting (XSS).
How to fix
The most effective method of preventing JSON injection is to avoid allowing strings containing data from any untrusted source to be parsed as JSON.
Additionally, ensure to not use the
eval() function to evaluate JSON data, instead use
JSON.parse() to safely parse JSON response data.
You’ve learned what Client Side Injection is and how to protect your systems from it. We hope you will apply your new knowledge wisely as you code! Feel free to share this with your network. Also, make sure to check out our lessons on other common vulnerabilities.
Want to make a revision on this learning module? Click here to create a pull request!
BLOG: The Top 10 app-attack trends in the financial sector in 2022