AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

JSON Injection

The attacker can inject partial JSON structs to the application and manipulate the JSON output which may lead from denial of service to unauthorized access to system resources

Severity

Critical

Fix Cost

Low

Trust Level

Medium

JSON is the de-facto web standard for HTTP communication. However, it’s not only used as communicated data structure, but also for data storage.

An example code that outputs JSON using the user input follows;

                            
try
using Newtonsoft.Json;

...
StringBuilder sb = new StringBuilder();
StringWriter sw = new StringWriter(sb);

using (JsonWriter writer = new JsonTextWriter(sw))
{
writer.Formatting = Formatting.Indented;
writer.WriteStartObject();

writer.WritePropertyName("username");
writer.WriteValue(username);

writer.WritePropertyName("dob");
writer.WriteValue(dob);

writer.WritePropertyName("fullname");
writer.WriteRawValue("\"" + fullname + "\"");
 
writer.WriteEnd();
writer.WriteEndObject();
}
string json = sb.ToString();

// write json to disk
                 
            

The code above gets fullname from an untrusted source (the attacker for example) and writes it to JSON with WriteRawValue method, which doesn’t apply any meta character normalization for JSON. Therefore, the attacker might send a partial JSON string for fullname parameter and intentionally manipulate the JSON that will be produced later for processing.

Every injection attack occurs because of mixing code and untrusted data in the code. As developers, we are rarely provided secure APIs in order to keep these two information (code and data) apart, until the runtime. In the above code, mixing the data, as name coming from the user, and code, as the partial JSON statements, result in JSON injection. The attacker can potentially manipulate the overall JSON output and access the information that he can’t access otherwise when this manipulated JSON is processed later on.

JSON is the de-facto web standard for HTTP communication. However, it’s not only used as communicated data structure, but also for data storage.

An example code that outputs JSON using the user input follows;

            
public class Person {
public String name;

@JsonRawValue
public String fullName;
    
public DateTime dob;
}

// instantiate Person with untrusted input
...

ObjectMapper objectMapper = new ObjectMapper();
String output = objectMapper.writeValueAsString(person);
                
            

Assume the POJO code above gets fullName from an untrusted source (the attacker for example) and writes it to JSON with @JsonRawValue attribute, which doesn’t apply any meta character normalization for JSON. Therefore, the attacker might send a partial JSON string for fullname parameter and intentionally manipulate the JSON that will be produced later for processing.

Every injection attack occurs because of mixing code and untrusted data in the code. As developers, we are rarely provided secure APIs in order to keep these two information (code and data) apart, until the runtime. In the above code, mixing the data, as name coming from the user, and code, as the partial JSON statements, result in JSON injection. The attacker can potentially manipulate the overall JSON output and access the information that he can’t access otherwise when this manipulated JSON is processed later on.

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!