Definition

JSON injection is a security weakness that occurs when a website uses JSONP to evade a web browser’s same-origin policy.

Usually, JSON enables a server to respond with data wrapped in a function call that the client can execute. The client inserts a script tag that directs to the server’s URL with a query parameter defining the function name for the JSON data.

In a JSONP injection attack, a hacker can use the script tag to add a malicious script tag to the web page. The server wraps the tag in a function and resends it. The browser runs this function, enabling the attacker to execute arbitrary JavaScript code in the user’s browser.

How JSONP Injection Works

History of JSONP Injection

JSON with Padding (JSONP) is a technique developed to bypass the same-origin policy in web browsers, which web developers widely adopted in the mid-2000s.

However, a potential for misuse was later identified: an attacker can intercept the data passing through the JSONP endpoint to run an arbitrary JavaScript code on the user’s browser. That is why JSONP injection attack awareness has increased since the 2000s.

Security experts recommend JSONP alternatives like cross-origin resource sharing (CORS), a safer method for handling cross-domain requests.