OWASP WebGoat: Ajax Security JSON Injection

I was struck with the similarity between this JSON injection lesson and yesterday’s XML injection. It was exactly the same process; as a consequence, this was the first lesson I did not need to refer to the hints or solution, which is pleasing.

As both XML and JSON are part of the group of technologies comprising AJAX Programming, perhaps the similarities are to be expected.

Here’s the lesson details:

Lesson Plan Title: How to Perform JSON Injection

Concept / Topic To Teach:

This lesson teaches how to perform JSON Injection Attacks.

How the attacks works:

JavaScript Object Notation (JSON) is a simple and effective lightweight data exchange format. JSON can be in a lot of forms such as arrays, lists, hashtables and other data structures. JSON is widely used in AJAX and Web2.0 application and is favored by programmers over XML because of its ease of use and speed. However, JSON, like XML is prone to Injection attacks. A malicious attacker can inject the reply from the server and inject some arbitrary values in there.

Exactly the same as yesterday, input the given details, which in this case are the airport codes. Intercept the response with WebScarab and locate the following code:

“From”: “Boston”,
“To”: “Seattle”,
“flights”: [
{"stops": "0", "transit" : "N/A", "price": "$600"},
{"stops": "2", "transit" : "Newark,Chicago", "price": "$300"}

Change the $600 price tag to $300 and “Accept Changes”

Job Done.

Leave a Reply