Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarLint
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarCloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube

Java static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your JAVA code

JSON operations should not be vulnerable to injection attacks

intentionality - complete

security

Vulnerability

MajorSonarSource default severity
click to learn more

Why is this an issue?

How can I fix it?

More Info

JSON injections occur when an application builds a JSON-formatted string from user input without prior validation or sanitation. In such a case, a tainted user-controlled value can tamper with the JSON string content. Especially, unexpected arbitrary elements can be inserted in the corresponding JSON object. Those modifications can include:

Adding additional keys to a JSON dictionary.
Changing values types.
Adding elements in an array.

A malicious user-supplied value can perform other modifications depending on where and how the constructed data is later used.

What is the potential impact?

The consequences of a JSON injection attack into an application vary greatly depending on the application’s logic. It can affect the application itself or another element if the JSON string is used for cross-component data exchange. For this reason, the actual impact can range from benign information disclosure to critical remote code execution.

Information disclosure

An attacker can forge an attack payload that will modify the JSON string so that it will become syntactically incorrect. In that case, when the data is later used, the parsing component will raise a technical error. If displayed back to the attacker or made available through log files, this technical error may disclose sensitive business or technical information.

This scenario, while in general the less severe one, is the most frequently encountered. It can combine with any other logic-dependant threat.

Privilege escalation

An application that would rely on JSON to store or propagate users' authentication levels and roles would be under threat of privilege escalations. Indeed, an attacker could tamper with the permissions storage object to insert arbitrary roles or privileges.

While highly specific, similar issues can be faced in the following situations:

An application builds JSON payloads for HTTP requests.
An application builds JWT from user input.

Code execution

An application might build objects based on a JSON serialization string. In that case, an attacker that would exploit a JSON injection could be able to alter the serialization string to modify the corresponding object’s properties.

Depending on the deserialization process, this might allow instantiating arbitrary objects or objects with sensitive properties altered. This can lead to arbitrary code being executed in the same way as a deserialization injection vulnerability.

Available In:

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Developer
Edition

In-IDE

SaaS

Self-Hosted