Lab: JSON Injection
January 9, 2019 · View on GitHub
Outline
Remember, all (most?) JSON is valid Javascript
Reflected/DOM injection Stored injection
how is eval involved?
What about JSONP? Too much?
Using third party libraries to correctly parse the JSON and prevent injection and execution (like jQuery)
Resources
- Client-side JSON injection (reflected DOM-based)
- Client-side JSON injection (stored DOM-based)
- StackOverFlow: Injecting javascript in JSON and security
- OWASP: JSON Hijacking
- Server-Side JavaScript Injection
- Handling Untrusted JSON Safely
- Anatomy of a Subtle JSON Vulnerability
- Friday the 13th: Attacking JSON - Alvaro Muñoz & Oleksandr Mirosh - AppSecUSA 2017
- The Evil Side of JavaScript: Server-Side JavaScript Injection
To build locally via Docker Compose:
docker-compose up