DerScanner
Home / Vulnerability Database / Swift : JSON injection
Swift

Swift : JSON injection

Classification

OWASP Top 10 2013
A1-Injection
OWASP Top 10 2017
A1-InjectionA4-XML External Entities (XXE)
OWASP Top 10 2021
A3-InjectionA5-Security Misconfiguration
OWASP ASVS
Validation, Sanitization and EncodingValidation, Sanitization and Encoding
PCI DSS 4.0
6.2.4
HIPAA
§164.312 (c)(1)§164.312 (c)(2)
CWE
CWE-1027

Overview

The application writes data from an untrusted source to JSON file. This allows an attacker to change the structure and content of the file.

Applications typically use JSON to store data or for messaging. In the first case, JSON file is treated as a database and can contain valuable data. Web applications can also use massaging via JSON for valuable data exchange.

An attacker who has the ability to write data to the JSON document can change its semantics. In the most harmless case he/she can brake the document structure, whereby the JSON-parser exits with an error. In more serious cases, an attacker can add JSON elements changing the authentication data, change data (such as prices, if we are talking about a database of a store). In some cases, JSON Injection can lead to cross-site scripting (XSS) and remote code execution.

References

  1. OWASP Top 10 2017-A1-Injection
  2. OWASP Top 10 2013-A1-Injection
  3. Testing AJAX Applications with JSON Input for Vulnerabilities Using Qualys WAS
  4. CWE CATEGORY: OWASP Top Ten 2017 Category A1 - Injection: Injection
MEDIUM

DerScanner Severity Score

Do you want to fix Swift : JSON injection in your application?

See also

Swift

Swift : Nill password

Swift

Swift : Hardcoded salt

Swift

Swift : Undocumented feature: special account