Definition
JSON injection is a security weakness that occurs when a website uses JSONP to evade a web browser’s same-origin policy.
Usually, JSON enables a server to respond with data wrapped in a function call that the client can execute. The client inserts a script tag that directs to the server’s URL with a query parameter defining the function name for the JSON data.
In a JSONP injection attack, a hacker can use the script tag to add a malicious script tag to the web page. The server wraps the tag in a function and resends it. The browser runs this function, enabling the attacker to execute arbitrary JavaScript code in the user’s browser.
How JSONP Injection Works
- JSONP endpoint: A website includes a script tag (JSONP endpoint) that allows it to retrieve data from another domain.
- Attacker manipulation: An attacker manipulates this JSONP endpoint by inserting a malicious code in the website.
- User interaction: The exploited JSONP endpoint tricks the user’s browser into making a request to the attacker’s domain with any sensitive data the website wants to send to the JSONP endpoint.
- Data capture and exploitation: The attacker collects the user’s sensitive data, which they can use for malicious purposes, such as financial fraud or identity theft.
History of JSONP Injection
JSON with Padding (JSONP) is a technique developed to bypass the same-origin policy in web browsers, which web developers widely adopted in the mid-2000s.
However, a potential for misuse was later identified: an attacker can intercept the data passing through the JSONP endpoint to run an arbitrary JavaScript code on the user’s browser. That is why JSONP injection attack awareness has increased since the 2000s.
Security experts recommend JSONP alternatives like cross-origin resource sharing (CORS), a safer method for handling cross-domain requests.