Essential Books

Evaled JSON injection

suggest change

Let’s say that whenever someone visits a profile page in Bob’s website, the following URL is fetched: 

https://example.com/api/users/1234/profiledata.json

With a response like this: 

{
    "name": "Bob",
    "description": "Likes pie & security holes."
}

Than that data is parsed & inserted: 

var data = eval("(" + resp + ")");
document.getElementById("#name").innerText = data.name;
document.getElementById("#description").innerText = data.description;

Seems good, right? Wrong.

What if someone’s description is Likes XSS."});alert(1);({"name":"Alice","description":"Likes XSS.? Seems weird, but if poorly done, the response will be: 

{
    "name": "Alice",
    "description": "Likes pie & security holes."});alert(1);({"name":"Alice","description":"Likes XSS."
}

And this will be evaled: 

({
    "name": "Alice",
    "description": "Likes pie & security holes."});alert(1);({"name":"Alice","description":"Likes XSS."
})

If you don’t think that’s a problem, paste that in your console and see what happens.

Mitagation 

Hello! \"});alert(1);({

Will be converted to: 

"Hello! \\"});alert(1);({"
Oops. Remember to escape both the `\` and `"`, or just use JSON.parse.
Found a mistake? Have a question or improvement idea? Let me know.

Feedback about page:

Feedback:
Optional: your email if you want me to get back to you:

Security issues:
* Security issues
* Reflected Cross-site scripting XSS
* Persistent Cross-site scripting XSS
* Persistent Cross-site scripting from JavaScript string literals
* Why scripts from other people can harm your website and its visitors
* Evaled JSON injection
Table Of Contents
0 Getting started
1 Comments
2 Basic data types
3 Built-in constants
4 Variables
5 Declarations and assignments
6 Reserved keywords
7 Data types in JavaScript
8 Strings
9 Escape sequences
10 Template Literals
11 Arrays
12 Objects
13 Prototypes objects
14 Classes
15 Variable coercion / conversion
16 Map
17 Set
18 Arithmetic Math
19 Bitwise operators
20 Bitwise operators
21 Unary Operators
22 Comparison operations
23 Conditions
24 Loops
25 Functions
26 Arrow functions
27 Date
28 Date comparison
29 Scope
30 AJAX
31 Promises
32 Regular Expression
33 Error Handling
34 Geolocation
35 Cookies
36 Intervals and timeouts
37 Generators
38 History of visited urls
39 Strict mode
40 Custom Elements
41 JSON
42 Binary Data
43 Web Storage
44 Fetch
45 Modules
46 Screen
47 Inheritance
48 Timestamps
49 Destructuring assignment
50 Web Worker
51 Debugging
52 Notifications API
53 WebSockets
54 Web Cryptography API
55 Async functions, async / await
56 Constructor functions
57 execCommand and contenteditable
58 Performance Tips
59 Design patterns
60 requestAnimationFrame
61 Method chaining
62 Global error handling in browsers
63 File API, blobs and FileReaders
64 Console
65 Tail call optimization
66 Detecting browser
67 Enumerations
68 Symbols
69 Localization
70 Selection API
71 Callbacks
72 Functional JavaScript
73 Modals
74 Data attributes
75 Event Loop
76 Events
77 Data manipulation
78 BOM Browser Object Model
79 Unit Testing
80 Linters for ensuring code quality
81 Automatic Semicolon Insertion
82 IndexedDB
83 Anti-patterns
84 Navigator Object
85 Modularization techniques
86 Proxy
87 Same origin policy, cross-origin communication
88 postMessage and MessageEvent
89 WeakMap
90 WeakSet
91 Behaviroal Design Patterns
92 Server-sent events
93 Async iterators
94 Namespacing
95 Evaluating JavaScript
96 Memory efficiency
97 How to make iterator usable inside async callback function
98 Context this
99 Setters and getters
100 Vibration API
101 Fluent API
102 Tilde
103 Security issues
104 Get and set CSS custom variables
105 Contributors