Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Client-side JSON injection (DOM-based)

Fox Dec 16, 2019 10:33AM UTC

Hi team,
I got the following issue after running a scan on Burp and I would like to have some help to try to understand it:

**************************************************************************************
Data is read from input.value and passed to JSON.parse.
The source element has id [ID].

The following value was injected into the source:
["jan","feb","mar","apr","may","jun","jul","aug","sep","oct","nov","dec","january","february","march","april","june","july","august","september","october","november","december"]

The previous value reached the sink as:
bxdobkx1z5%2527%2522`'"/bxdobkx1z5/><bxdobkx1z5/\>qaep72yn06&

The stack trace at the source was:
[SOME_STRACK_TRACE]

The stack trace at the sink was:
[SOME_STRACK_TRACE]

**************************************************************************************
- Does this issue mean that the data used has to be validated before passed to the parser?
- What does the output value mean? It looks like as random data
- How could I check if it's a false positive?
- Where are "input.value" and "JSON.parse" functions located? I can't find them on the source code of the page

Thanks in advance


Mike Eaton Dec 16, 2019 11:06AM UTC Support Center agent

Hi Adrian, you can find out more information about this vulnerability on our issue definitions list on our website: https://portswigger.net/kb/issues/00200370_client-side-json-injection-dom-based

Essentially Burp has been able to inject some information into an editable input on that form, and that has been processed as JSON by some functionality on that form, which could lead to a vulnerability depending on the context of the attack vector (Such as circumventing an authentication layer).

To answer your specific questions;
- Yes, you should never trust user input and it should always be sanitized.
- It is random data to prove that it can be injected.
- That would depend on the implementation of your application.
- input.value likely refers to the value property of the input element that was manipulated, and JSON.parse is part of the native JavaScript API https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON/parse


Post Your public answer

Your name
Your email address
Answer