Is JavaScript object injection exploitable?

Question

I'm testing a site that behaves like this:

1. When I change my username, I submit a POST request with JSON data like this {"username":"John"}.
2. If I change that to for example {"username":{"test":"test"}}, my username is printed like this: [object Object]
3. Therefore I concluded that I can inject objects and have tried to override the toString method of my object doing this: {"username":{"test":"test","toString":"function() {return 1;}"}}, but when I load a page where the username should be printed, I just get a runtime error in the console saying that toString is not a function.

I assume that I have successfully managed to overwrite the toString method, but it seems that I have just replaced it with a string, and therefore it is not a method anymore and cannot be executed.

Any ideas if this could be exploitable?

Answer 1

JSON can not be used for object injection in JavaScript the way your question suggests.

JSON only allows strings, numbers, objects, arrays, booleans and null. It does not allow functions. So what you are passing there might look like a function, but it is not one. It is just a string that happends to contain some code for a function. Unless there is something on the server explicitly taking strings and executing them as code (e.g. eval), the code will not be executed. JSON deserialization does not execute code in strings.

So why the error message? When you ask JavaScript to treat a variable as a string (e.g. print it), it tries to convert it to a string if it is not already one. This is done by trying to call the member toString. But you have set it to be a string, not a function, so it can not be called. Hence the error.