Burp Suite User Forum

Login to post

Client-side JSON injection (DOM-based)

Adrián | Last updated: Dec 16, 2019 10:33AM UTC

Hi team, I got the following issue after running a scan on Burp and I would like to have some help to try to understand it: ************************************************************************************** Data is read from input.value and passed to JSON.parse. The source element has id [ID]. The following value was injected into the source: ["jan","feb","mar","apr","may","jun","jul","aug","sep","oct","nov","dec","january","february","march","april","june","july","august","september","october","november","december"] The previous value reached the sink as: bxdobkx1z5%2527%2522`'"/bxdobkx1z5/><bxdobkx1z5/\>qaep72yn06& The stack trace at the source was: [SOME_STRACK_TRACE] The stack trace at the sink was: [SOME_STRACK_TRACE] ************************************************************************************** - Does this issue mean that the data used has to be validated before passed to the parser? - What does the output value mean? It looks like as random data - How could I check if it's a false positive? - Where are "input.value" and "JSON.parse" functions located? I can't find them on the source code of the page Thanks in advance

Mike, PortSwigger Agent | Last updated: Dec 16, 2019 10:52AM UTC

Hi Adrian, you can find out more information about this vulnerability on our issue definitions list on our website: https://portswigger.net/kb/issues/00200370_client-side-json-injection-dom-based Essentially Burp has been able to inject some information into an editable input on that form, and that has been processed as JSON by some functionality on that form, which could lead to a vulnerability depending on the context of the attack vector (Such as circumventing an authentication layer). To answer your specific questions; - Yes, you should never trust user input and it should always be sanitized. - It is random data to prove that it can be injected. - That would depend on the implementation of your application. - input.value likely refers to the value property of the input element that was manipulated, and JSON.parse is part of the native JavaScript API https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON/parse

You need to Log in to post a reply. Or register here, for free.