JSON Security: Injection, Deserialization Attacks, and Safe Parsing
JSON security: injection attacks, prototype pollution, deserialization vulnerabilities, and safe parsing practices for web applications and APIs.
Published:
Tags: json, security, developer-tools
JSON Security: Injection, Deserialization Attacks, and Safe Parsing JSON is simple enough that developers routinely underestimate its attack surface. The format itself is safe — but the code surrounding JSON processing is where vulnerabilities live. String concatenation to build JSON, unchecked polymorphic deserialization in Java, deeply nested payloads, and certain JavaScript merge patterns all have well-documented exploitation paths. JSON Injection: Never Build JSON with String Concatenation Building a JSON string by concatenating user-supplied values is the original JSON vulnerability. If the user controls any part of the string, they can break out of the expected structure and inject arbitrary fields or values. Vulnerable pattern: The correct fix is to construct the object first, then…
All articles · theproductguy.in