Client Side Vulnerabilities / Client-Side Json Injection (DOM-Based)

Web and API

Description Client-side JSON injection (DOM-based) is a type of vulnerability that occurs when a malicious user is able to inject JSON directly into a web page, usually through a browser, allowing malicious code to be executed within the browser. This vulnerability is categorized as a Client Side Vulnerability according to the Common Weakness Enumeration (CWE) directory and is also included in the OWASP Testing Guide.

Risk Client-side JSON injection (DOM-based) is a serious vulnerability as it can allow remote code execution on a web page and can potentially lead to a wide range of malicious activities, including data exfiltration, privilege escalation and other malicious activities. Moreover, the malicious user may be able to bypass access control measures, allowing them to access data they are otherwise not authorized to access.

Solution One solution to this vulnerability is to validate the user input before processing and displaying it on the web page. This can be done by using a whitelist of valid JSON characters to ensure that the user input is not malicious. Additionally, the input should be encoded and escaped before being displayed on the web page to prevent malicious code from being executed.

Example The following example is taken from CVE-2018-9233. In this example, a malicious user is able to inject a malicious payload into the JSON data returned by a web application.

var json = '{"name": "John","age": 23,"payload": " <script> alert('XSS') </script> "}';

Curious? Convinced? Interested?

Arrange a no-obligation consultation with one of our product experts today.