Web Security : Attacking AJAX - Subverting AJAX with Injected XML, Subverting AJAX with Injected JSON

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019

1. Subverting AJAX with Injected XML

1.1. Problem

Your application uses AJAX and it passes data back in XML format. To test the client-side’s handling of bad XML data, you’ll need to generate bad XML and have it parsed by your application.

1.2. Solution

Creating malicious XML is a topic unto itself. You can find additional guidance on testing for XML injection via OWASP at

Note that the same caveat that applies to HTML injection also applies to XML injection: you may have to escape out of an XML tag prior to inserting your own malicious XML string.

Except this time let’s assume that the chat API on the server returns the chat messages in XML format, as shown in Example 1.

Example 1. AJAX-based chat using XML
 <message user="jsmith">are you going to the show?</message>
 <message user="mjones">yeah, mike's driving</message>
 <message user="jsmith">can I hitch a ride?</message>
 <message user="mjones">sure. be at mike's at 6</message>

Since our user ID is our attack vector, we should try malicious inputs there to test how the client-side code handles it. A user ID of jsmith"><hr width="200 is likely to have the same effect as our attack string in Example 10-2. The "> characters terminate the <message> tag so that the result is <message user="jsmith"><hr width="200">are you going to the show</message>.

1.3. Discussion

Our example is somewhat trivial in that it is obvious what the browser will or won’t do with malicious XML. 

This test is more useful when the client-side code performs some interesting decision making, like hiding or displaying records, allowing or denying actions, etc. Rather than customize attacks that are big and random, use attack XML that has the potential to interfere with the application’s functionality.

2. Subverting AJAX with Injected JSON

2.1. Problem

Your application’s AJAX components receive their input in JavaScript Object Notation (JSON) format. You need to test how the client-side code reacts when malicious JSON data is injected into it.

2.2. Solution

When an application evaluates a JSON string directly, anything injected into the JSON executes immediately—without the need to embed HTML script tags.

To inject into the JSON format, first identify the area where your data rests in the JSON returned by the server. Once you’ve identified the location of your input, supply escape characters for the data structure itself and insert JSON formatted JavaScript. For example, say you receive the following JSON:

{"menu": { "address": { "line1":"YOUR_INPUT_HERE", "line2": "", "line3":"" } }}


To inject JavaScript into this JSON string, you’d supply a string such as ",arbitrary:alert('JavaScript Executed'),continue:". Let’s examine this injected string piece by piece, so that you can craft strings for your JSON data.


First we use double quotes to indicate a string delimiter, ending the string encapsulating our user input. The comma indicates that the rest of our input is a new JSON element in this array. If you were providing an integer as the input, for example, you wouldn’t need the double quotes, just the comma.


Because this data structure is a mapping of labels to elements, we need to provide another label prior to our injected JavaScript. The label doesn’t matter, hence the name arbitrary. The colon indicates the following data is the value paired to this name.

alert('JavaScript Executed')

This is the actual JavaScript injected into this JSON object. When the page evaluates this JSON, an alert box will pop up saying “JavaScript Executed.” This is an indication that our test succeeded and the application failed.


Lastly, to complete the JSON data format and prevent syntax errors from interrupting the injected JavaScript, provide a comma to indicate the next JSON element, an arbitrary label, and a colon and quotes to combine with the rest of the JSON string.

The final result of injecting this malicious input into the JSON string is eval({"menu": { "address": { "line1":"

", "line2": "", "line3":"" } }});

2.3. Discussion

The JSON format evolved as the easiest data serialization format to implement. Evaluating the JSON string in Javascript will itself return a JavaScript data object. It is elegant and simple, but it is very dangerous to evaluate data directly, particularly data that the user just provided. It’s preferable to use a JSON parser, such as the ones available (for free!) from

Be careful when sending JSON data via the query string. Evaluating JSON data directly from the query string creates a reflected cross-site scripting vulnerability. 

Top 10
Free Mobile And Desktop Apps For Accessing Restricted Websites
TOYOTA CAMRY 2; 2.5 : Camry now more comely
KIA SORENTO 2.2CRDi : Fuel-sipping slugger
How To Setup, Password Protect & Encrypt Wireless Internet Connection
Emulate And Run iPad Apps On Windows, Mac OS X & Linux With iPadian
Backup & Restore Game Progress From Any Game With SaveGameProgress
Generate A Facebook Timeline Cover Using A Free App
New App for Women ‘Remix’ Offers Fashion Advice & Style Tips
SG50 Ferrari F12berlinetta : Prancing Horse for Lion City's 50th
- Messages forwarded by Outlook rule go nowhere
- Create and Deploy Windows 7 Image
- How do I check to see if my exchange 2003 is an open relay? (not using a open relay tester tool online, but on the console)
- Creating and using an unencrypted cookie in ASP.NET
- Directories
- Poor Performance on Sharepoint 2010 Server
- SBS 2008 ~ The e-mail alias already exists...
- Public to Private IP - DNS Changes
- Send Email from Winform application
- How to create a .mdb file from ms sql server database.......
programming4us programming4us