• Contrast Security
  • Book a Demo

What is a Client Side Injection?

In JavaScript

 

Overview

Client Side Injection occurs when data from an untrusted source is not sanitized sufficiently, and then parsed directly using the Javascript ```eval()``` function.

 

Attack

Let's walk through a vulnerable example. 

Here we have a web application that displays the user profile of an airline passenger when viewing their profile photo. The profile lists the travel tier of the selected user, but data user input is poorly sanitized. 

Upon visiting the profile data:

https://airlinecarrier.com/api/users/update/profiledata.json we receive the following response:

{
"Benefits": "Tier",

"Level": "Bronze"
}

var data = eval("(" + resp + ")");

document.getElementById("#Benefits").innerText = data.Benefits;

document.getElementById("#Level").innerText = data.Level;

Data is read (parsed) and inserted using the Json eval () function.

Using this flaw, the attacker can create a Client Side Injection attack by injecting the following code:

Platinum."});alert(1);({"Benefits":"Tier","Level":"Platinumn”.

When this argument is executed by the eval() function, the new output is as follows:

{
"Benefits": "Tier",

"Level": "Platinum."});alert(1);({"Benefits":"Tier","Level":"Platinum"
}

The user now has elevated their tier level for this airline.

 

Impact

An attacker may be able to use this flaw in order to process unintended actions on behalf of another user. Vulnerabilities like this can also lead to other dangerous attacks, such as Cross Site Scripting (XSS).

 

How to fix

The most effective method of preventing JSON injection is to avoid allowing strings containing data from any untrusted source to be parsed as JSON.

Additionally, ensure to not use the eval() function to evaluate JSON data, instead use JSON.parse() to safely parse JSON response data.

 

Congratulations!

You’ve learned what Client Side Injection is and how to protect your systems from it. We hope you will apply your new knowledge wisely as you code! Feel free to share this with your network. Also, make sure to check out our lessons on other common vulnerabilities.

Want to make a revision on this learning module? Click here to create a pull request!

 

Featured in:

BLOG: The Top 10 app-attack trends in the financial sector in 2022

BLOG: Find JavaScript cyber-vulnerabilities for free with CodeSec

Up Next!

Cross Site Scripting (XSS)

New Icon

Cross Site Scripting (XSS)

Learn about Cross Site Scripting (XSS) and how it affects your Java source code

Log4Shell

New Icon

Log4Shell

Learn what Log4Shell is and how you can protect your code from this zero-day vulnerability

OPEN-SOURCE

SQL Injection - Java-1

New Icon

SQL injection

Learn about SQL injection and how it affects your Java source code

Server-Side Request Forgery (SSRF)

New Icon

Server-Side Forgery 

Learn about Server-Side Request Forgery (SSRF) and how you can source code from it

JAVASCRIPT