JSON injection is a vulnerability that lets a malicious hacker inject malicious data into JSON streams or use malicious JSON streams to modify application behavior. There are two types of JSON injections, server-side and client-side:
Severity: |
![]() ![]() |
medium severity |
Prevalence: |
![]() ![]() |
discovered rarely |
Scope: |
![]() ![]() |
may appear in all apps that use JSON |
Technical impact: | privilege escalation, cross-site scripting | |
Worst-case consequences: | full system compromise | |
Quick fix: | sanitize user input, do not use the JS eval function |
JSON (JavaScript Object Notation) is a lightweight data interchange format used for communication between applications. It performs a similar role to XML but is simpler and better suited to processing in JavaScript.
Many web applications use this format to communicate and serialize/deserialize data. Some web applications also use JSON to store important information, such as user data. JSON is commonly used in RESTful APIs and AJAX applications.
While JSON hijacking (a subset of cross-site script inclusion – XSSI) also involves the JSON format, it is a slightly different attack, in some ways similar to cross-site request forgery (CSRF). Attackers can use JSON hijacking to intercept JSON data sent from a web server to a web application. A typical JSON hijacking attack might look like this:
A simple server-side JSON injection could be performed in PHP as follows:
$json_string = '{"accountType":"user","userName":"'.$_GET['userName'].'","pass":"'.$_GET['pass'].'"}';
john%22,%22accountType%22:%22administrator%22
{
"accountType":"user",
"userName":"john",
"accountType":"administrator",
"pass":"password"
}
A simple client-side JSON injection could be performed as follows:
var result = eval("(" + json_string + ")");
document.getElementById("#accountType").innerText = result.account;
document.getElementById("#userName").innerText = result.name;
document.getElementById("#pass").innerText = result.pass;
user"});alert(document.cookie);({"accountType":"user
The consequences of JSON injection highly depend on the way JSON data is used by the web application. However, in some cases, they may be quite severe:
While JSON injection on its own may not seem very dangerous, it is often only one step in a longer chain of attacks, so in some cases it can have severe consequences, up to and including full system compromise.
The best way to detect JSON injection vulnerabilities varies depending on whether they are already known or unknown.
As with most vulnerabilities, the key to maintaining web application security and preventing JSON injections is to sanitize data. This applies to both server-side and client-side JSON injections.
To prevent server-side JSON injections, sanitize all data before serializing it to JSON. For example, if you use Java, a good option to sanitize JSON data is to use the OWASP JSON Sanitizer available on GitHub. An even better practice is never to write JSON data manually but always using framework functions that perform sanitization.
The best way of preventing client-side JSON injections is never to use the eval function to evaluate JSON data. Whenever you use the eval function with untrusted data that contains JavaScript code, that code will be executed – and it could be malicious. To eliminate this risk, use JSON.parse instead.
Classification | ID |
---|---|
CAPEC | 153 |
CWE | 74, 116 |
WASC | 20 |
OWASP 2021 | A3 |
JSON injection attacks happen when unsanitized JSON data containing a malicious payload is accepted and parsed by a web application or browser. Server-side JSON injection attacks are possible if input data is not sanitized by the server and is written directly to a JSON stream. Client-side JSON injection attacks are possible if incoming JSON data is not sanitized and is parsed directly using the JavaScript eval function.
Learn more about the dangers of missing input validation and sanitization.
JSON hijacking happens when a malicious web page causes the victim’s web browser to retrieve JSON data from a targeted web application. The web browser then passes the JSON data to a web server controlled by the attacker.
JSON injections are not very common and not as dangerous as SQL injection or other severe vulnerabilities, but they can still be used in attack chains that lead to other, more dangerous attacks, such as cross-site scripting (XSS).