Web Security : Attacking AJAX - Subverting AJAX with Injected XML, Subverting AJAX with Injected JSON

9/25/2012 1:42:50 AM

1. Subverting AJAX with Injected XML

1.1. Problem

Your application uses AJAX and it passes data back in XML format. To test the client-side’s handling of bad XML data, you’ll need to generate bad XML and have it parsed by your application.

1.2. Solution

Creating malicious XML is a topic unto itself. You can find additional guidance on testing for XML injection via OWASP at

Note that the same caveat that applies to HTML injection also applies to XML injection: you may have to escape out of an XML tag prior to inserting your own malicious XML string.

Except this time let’s assume that the chat API on the server returns the chat messages in XML format, as shown in Example 1.

Example 1. AJAX-based chat using XML
 <message user="jsmith">are you going to the show?</message>
 <message user="mjones">yeah, mike's driving</message>
 <message user="jsmith">can I hitch a ride?</message>
 <message user="mjones">sure. be at mike's at 6</message>

Since our user ID is our attack vector, we should try malicious inputs there to test how the client-side code handles it. A user ID of jsmith"><hr width="200 is likely to have the same effect as our attack string in Example 10-2. The "> characters terminate the <message> tag so that the result is <message user="jsmith"><hr width="200">are you going to the show</message>.

1.3. Discussion

Our example is somewhat trivial in that it is obvious what the browser will or won’t do with malicious XML. 

This test is more useful when the client-side code performs some interesting decision making, like hiding or displaying records, allowing or denying actions, etc. Rather than customize attacks that are big and random, use attack XML that has the potential to interfere with the application’s functionality.

2. Subverting AJAX with Injected JSON

2.1. Problem

Your application’s AJAX components receive their input in JavaScript Object Notation (JSON) format. You need to test how the client-side code reacts when malicious JSON data is injected into it.

2.2. Solution

When an application evaluates a JSON string directly, anything injected into the JSON executes immediately—without the need to embed HTML script tags.

To inject into the JSON format, first identify the area where your data rests in the JSON returned by the server. Once you’ve identified the location of your input, supply escape characters for the data structure itself and insert JSON formatted JavaScript. For example, say you receive the following JSON:

{"menu": { "address": { "line1":"YOUR_INPUT_HERE", "line2": "", "line3":"" } }}


To inject JavaScript into this JSON string, you’d supply a string such as ",arbitrary:alert('JavaScript Executed'),continue:". Let’s examine this injected string piece by piece, so that you can craft strings for your JSON data.


First we use double quotes to indicate a string delimiter, ending the string encapsulating our user input. The comma indicates that the rest of our input is a new JSON element in this array. If you were providing an integer as the input, for example, you wouldn’t need the double quotes, just the comma.


Because this data structure is a mapping of labels to elements, we need to provide another label prior to our injected JavaScript. The label doesn’t matter, hence the name arbitrary. The colon indicates the following data is the value paired to this name.

alert('JavaScript Executed')

This is the actual JavaScript injected into this JSON object. When the page evaluates this JSON, an alert box will pop up saying “JavaScript Executed.” This is an indication that our test succeeded and the application failed.


Lastly, to complete the JSON data format and prevent syntax errors from interrupting the injected JavaScript, provide a comma to indicate the next JSON element, an arbitrary label, and a colon and quotes to combine with the rest of the JSON string.

The final result of injecting this malicious input into the JSON string is eval({"menu": { "address": { "line1":"

", "line2": "", "line3":"" } }});

2.3. Discussion

The JSON format evolved as the easiest data serialization format to implement. Evaluating the JSON string in Javascript will itself return a JavaScript data object. It is elegant and simple, but it is very dangerous to evaluate data directly, particularly data that the user just provided. It’s preferable to use a JSON parser, such as the ones available (for free!) from

Be careful when sending JSON data via the query string. Evaluating JSON data directly from the query string creates a reflected cross-site scripting vulnerability. 

Top 10
Review : Sigma 24mm f/1.4 DG HSM Art
Review : Canon EF11-24mm f/4L USM
Review : Creative Sound Blaster Roar 2
Review : Philips Fidelio M2L
Review : Alienware 17 - Dell's Alienware laptops
Review Smartwatch : Wellograph
Review : Xiaomi Redmi 2
Extending LINQ to Objects : Writing a Single Element Operator (part 2) - Building the RandomElement Operator
Extending LINQ to Objects : Writing a Single Element Operator (part 1) - Building Our Own Last Operator
3 Tips for Maintaining Your Cell Phone Battery (part 2) - Discharge Smart, Use Smart
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 1)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 2)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 3)
Popular Tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8