User-provided data, such as URL parameters, POST data payloads, or cookies, are tainted with user-controlled inputs. Therefore, they should always
be considered untrusted.
JSON injection occurs when user-controlled input is embedded into JSON syntax.
In such a scenario, an attacker can alter the semantics of the underlying JSON object and insert additional properties, modify existing properties
or change the JSON object in some other way that potentially affects the business logic of the program processing that JSON object.
An attacker may exploit such a vulnerability in a variety of ways, depending on the business logic. In the worst case, it may even be possible for
the attacker to execute arbitrary code.
Noncompliant Code Example
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
String json = "{\"key\":\""+req.getParameter("value")+"\"}";
FileOutputStream fos = new FileOutputStream("output.json");
fos.write(json.getBytes(Charset.forName("UTF-8"))); // Noncompliant
}
google/gson
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
Gson gson = new Gson();
String json = "{\"key\":\""+req.getParameter("value")+"\"}";
Object object = gson.fromJson(json, Object.class); // Noncompliant
}
FasterXML/jackson
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
ObjectMapper mapper = new ObjectMapper();
JsonFactory jsonFactory = mapper.getFactory();
JsonGenerator generator = jsonFactory.createGenerator(System.out);
String json = "{\"key\":\""+req.getParameter("value")+"\"}";
generator.writeRaw(json); // Noncompliant
generator.close();
}
stleary/JSON-java (org.json)
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
String json = "{\"key\":\""+req.getParameter("value")+"\"}";
JSONObject jo = new JSONObject(json); // Noncompliant
}
Compliant Solution
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
String value = req.getParameter("value");
if(value.matches("^[A-Za-z0-9_]+$")) {
String json = "{\"key\":\""+value+"\"}";
FileOutputStream fos = new FileOutputStream("output.json");
fos.write(json.getBytes(Charset.forName("UTF-8")));
}
}
google/gson
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
Gson gson = new Gson();
JsonObject json = new JsonObject();
json.addProperty("key", req.getParameter("value"));
Object object = gson.fromJson(json, Object.class);
}
FasterXML/jackson
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
ObjectMapper mapper = new ObjectMapper();
JsonFactory jsonFactory = mapper.getFactory();
JsonGenerator generator = jsonFactory.createGenerator(System.out);
generator.writeStartObject();
enerator.writeFieldName("key");
generator.writeString(req.getParameter("value"));
generator.close();
}
stleary/JSON-java (org.json)
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
JSONObject jo = new JSONObject();
jo.append("key", req.getParameter("value"));
}
See