Lesson Plan Title: How to Perform JSON Injection

 

Concept / Topic To Teach:

This lesson teaches how to perform JSON Injection Attacks.

 

How the attacks works:

JavaScript Object Notation (JSON) is a simple and effective lightweight data exchange format. JSON can be in a lot of forms such as arrays, lists, hashtables and other data structures. JSON is widely used in AJAX and Web2.0 application and is favored by programmers over XML because of its ease of use and speed. However, JSON, like XML is prone to Injection attacks. A malicious attacker can inject the reply from the server and inject some arbitrary values in there.

 

General Goal(s):

You are traveling from Boston, MA- Airport code BOS to Seattle, WA - Airport code SEA.
Once you enter the three digit code of the airport, an AJAX request will be executed asking for the ticket price.
You will notice that there are two flights available, an expensive one with no stops and another cheaper one with 2 stops.
Your goal is to try to get the one with no stops but for a cheaper price.

 

Figure 1 AJAX Security - JSON Injection

 

Solution:

Like with the previous lessons you need to manipulate the HTTP Response using WebScarab.

 

Examine the normal flow by entering the airport code BOS and SEA and intercept the HTTP Request and the HTTP Response in WebScarab.

 

Figure 2 Intercept HTTP Request

 

Figure 3 Intercept HTTP Response

 

Change the price for the expensive flight of $600 to $100 and click "Accept changes".

 

 

Figure 4 Updated price

 

Figure 5 Injected result

 

Select the flight with no stops and the updated price and click "Submit".

 

Figure 6 Lesson completed