Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Client-side JSON injection (DOM-based)

Adrián | Last updated: Dec 16, 2019 10:33AM UTC

Hi team, I got the following issue after running a scan on Burp and I would like to have some help to try to understand it: ************************************************************************************** Data is read from input.value and passed to JSON.parse. The source element has id [ID]. The following value was injected into the source: ["jan","feb","mar","apr","may","jun","jul","aug","sep","oct","nov","dec","january","february","march","april","june","july","august","september","october","november","december"] The previous value reached the sink as: bxdobkx1z5%2527%2522`'"/bxdobkx1z5/><bxdobkx1z5/\>qaep72yn06& The stack trace at the source was: [SOME_STRACK_TRACE] The stack trace at the sink was: [SOME_STRACK_TRACE] ************************************************************************************** - Does this issue mean that the data used has to be validated before passed to the parser? - What does the output value mean? It looks like as random data - How could I check if it's a false positive? - Where are "input.value" and "JSON.parse" functions located? I can't find them on the source code of the page Thanks in advance

Mike, PortSwigger Agent | Last updated: Dec 16, 2019 10:52AM UTC

Hi Adrian, you can find out more information about this vulnerability on our issue definitions list on our website: https://portswigger.net/kb/issues/00200370_client-side-json-injection-dom-based Essentially Burp has been able to inject some information into an editable input on that form, and that has been processed as JSON by some functionality on that form, which could lead to a vulnerability depending on the context of the attack vector (Such as circumventing an authentication layer). To answer your specific questions; - Yes, you should never trust user input and it should always be sanitized. - It is random data to prove that it can be injected. - That would depend on the implementation of your application. - input.value likely refers to the value property of the input element that was manipulated, and JSON.parse is part of the native JavaScript API https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON/parse

Luca | Last updated: Sep 25, 2020 03:39PM UTC

I got an identical finding and I still can't understand this, because in the source there is no sign of injection of the value that is later retrieved in the sink. I cannot find any other good explanation around. I would expect to see the random data in the sink injected in the json (source). What am I missing? Thank you

Liam, PortSwigger Agent | Last updated: Sep 28, 2020 08:53AM UTC

Would you be able to send the full issue detail to support@portswigger.net?

Luca | Last updated: Oct 01, 2020 10:23AM UTC

sure, doing it now. Thank you

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.