Preventing JSON pollution
The JavaScript language allows all Object
attributes to be altered. In a JSON pollution attack, an attacker leverages this ability to override built-in attributes and functions with malicious code.
Applications that accept JSON as user input are the most susceptible to these attacks. In the most severe cases, it’s possible to crash a server by just supplying additional values in JSON input. This can make the server vulnerable to DoS attacks via JSON pollution.
The key to preventing JSON pollution attacks is to validate all JSON input. This can be done manually or by defining a schema for your JSON to validate against.
In this recipe, we’re going to demonstrate a JSON pollution attack and learn how to protect against these attacks by validating our JSON input. Specifically, we’ll be using Another JSON Schema Validator (Ajv) to validate our JSON input.
Getting ready
To prepare for this recipe, we must create a server that...