webPromedium

Fragment JSON

web-kids20

Web application for processing payments (similar to d21, but with JSON). The system validates that the sender equals "me". User input in the "comment" field is inserted into JSON without escaping.

$ ls tags/ techniques/
jsoninjectionpayment_bypassfragment_injection
json_fragment_injectionpayment_forgery
🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

Sign in with GitHub to continue. No email required.

$sign in

$ grep --similar

Similar writeups