Most Common JSON Interview Questions

author image Hirely
at 10 Jan, 2025
  • Software Development
  • Questions

    • Answer:

    While JSON is a widely used and convenient data format for data exchange, it comes with certain security concerns that need to be addressed during its usage, especially in web applications. Below are some common security risks related to JSON and how to mitigate them:

    1. JSON Injection

    Problem: JSON injection occurs when malicious users can insert or manipulate JSON data to inject harmful content or scripts into a JSON object. This is particularly a concern when JSON data is used to interact with applications or databases.

    Risk: If an attacker injects malicious JSON data, they might be able to execute unintended actions, such as SQL injection or XSS (Cross-Site Scripting) attacks, depending on how the application processes the data.

    Example:

    • Suppose an API expects JSON data but is vulnerable to JSON injection. An attacker could manipulate the request, injecting malicious data into the JSON payload: 
      { "user": "admin", "password": "password' OR '1'='1" }
      This could lead to SQL injection attacks if the data is inserted into a database query without proper validation or sanitization.

    Mitigation:

    • Always sanitize and validate JSON data on the server before processing it.
    • Use prepared statements or parameterized queries to protect against SQL injection.
    • Implement input validation (e.g., ensuring that strings contain only valid characters, numbers, or predefined values).

    2. Cross-Site Scripting (XSS) via JSONP

    Problem: JSONP (JSON with Padding) is a technique used to overcome the same-origin policy in web browsers by allowing JSON data to be retrieved via <script> tags. However, if not properly handled, JSONP responses can expose applications to Cross-Site Scripting (XSS) attacks.

    Risk: An attacker can inject malicious JavaScript into the JSONP response, which will then be executed in the context of the user’s browser, potentially leading to data theft or malicious actions.

    Example:

    • An attacker could inject the following malicious JSONP payload into the response: 
      myCallback({ "data": "<script>alert('XSS')</script>" });

    Mitigation:

    • Avoid JSONP if possible. Instead, use CORS (Cross-Origin Resource Sharing) to allow secure cross-origin requests.
    • If you must use JSONP, ensure that the callback function name is strictly validated and cannot be tampered with by user input.

    3. Denial of Service (DoS) via Large JSON Payloads

    Problem: Large JSON payloads can be used to intentionally overload the server, causing it to crash or become unresponsive due to excessive memory usage or processing time.

    Risk: A malicious user may send gigantic JSON objects or deeply nested JSON data, which can exhaust server resources like memory and CPU. This could result in a Denial of Service (DoS) attack.

    Example:

    • An attacker might send a large, deeply nested JSON object that consumes excessive server memory: 
      { "key": { "key": { "key": { "key": ... } } } }

    Mitigation:

    • Implement size limits on JSON requests to prevent large payloads.
    • Set limits on JSON depth (i.e., how many levels of nesting are allowed) to prevent infinite recursion or excessive nesting.
    • Use streaming parsers (e.g., JSONStream in Node.js) to handle large payloads incrementally and avoid loading them entirely into memory.

    4. Information Disclosure

    Problem: If sensitive data is included in a JSON response (e.g., in API responses), attackers might be able to access or exploit that data.

    Risk: Including sensitive information such as user passwords, tokens, or system details in a JSON response could lead to data breaches.

    Example:

    • A JSON response might expose sensitive internal data, like: 
      { "user": "admin", "password": "admin123", "token": "abcdef12345" }

    Mitigation:

    • Avoid sending sensitive information in JSON responses. This includes passwords, tokens, or any private data.
    • Always mask or redact sensitive information before sending it back in responses.
    • Ensure proper access controls to sensitive data, allowing only authorized users or systems to retrieve sensitive JSON data.

    5. Man-in-the-Middle (MITM) Attacks

    Problem: If JSON data is transmitted over unsecured channels (i.e., without using HTTPS), it is vulnerable to Man-in-the-Middle (MITM) attacks. An attacker can intercept the data during transmission and modify it or steal sensitive information.

    Risk: Sensitive information in the JSON payload (e.g., login credentials, API keys) can be intercepted, modified, or stolen.

    Mitigation:

    • Always use HTTPS (SSL/TLS) to encrypt communication between clients and servers to prevent interception or tampering of JSON data.
    • Ensure that SSL certificates are valid and properly configured on the server.

    6. JSON Data Injection in Web Applications

    Problem: When client-side JavaScript parses JSON data, attackers may be able to inject malicious code into the data if the data is not properly validated.

    Risk: If an attacker can manipulate the JSON data or inject scripts that the JavaScript engine will execute, this could lead to Cross-Site Scripting (XSS) attacks.

    Example:

    • Malicious JSON data might include: 
      { "username": "attacker", "script": "<img src='x' onerror='alert(1)'>" }

    Mitigation:

    • Sanitize and validate JSON data before using it in JavaScript code.
    • Use safe methods to insert JSON data into HTML (e.g., textContent instead of innerHTML) to prevent script execution.
    • Consider using JSON.stringify() to ensure that user-provided data is serialized safely before being embedded in the DOM.

    7. Cross-Site Request Forgery (CSRF) via JSON

    Problem: When making API requests that accept JSON data, an attacker might craft a malicious request to perform actions on behalf of an authenticated user, such as changing user settings or making transactions.

    Risk: If an API does not verify the authenticity of requests properly, attackers can exploit Cross-Site Request Forgery (CSRF) to send unauthorized JSON requests.

    Mitigation:

    • Implement CSRF tokens to verify that requests are coming from legitimate sources.
    • Ensure that authentication tokens (such as JWTs) are transmitted in secure headers rather than as part of the JSON body.

    Conclusion:

    JSON, while a powerful and widely used format for data exchange, introduces several security concerns that need to be mitigated in modern web applications. Some of the primary concerns include JSON injection, XSS via JSONP, DoS via large payloads, information disclosure, and MITM attacks. To address these risks, it is important to implement input validation, secure transmission methods (HTTPS), size and depth limits, access control mechanisms, and safe handling of sensitive data. By following best practices, you can secure your applications and reduce the likelihood of security vulnerabilities related to JSON.

    Question: How do you convert a JavaScript object into JSON?

    Answer:

    To convert a JavaScript object into JSON, you use the JSON.stringify() method. This method takes a JavaScript object or value and returns a JSON string representation of the object.

    Syntax:

    JSON.stringify(value, replacer, space);
    • value: The JavaScript object (or value) that you want to convert to JSON.
    • replacer (optional): A function or an array that can alter the process of converting the object to JSON. It allows you to selectively include or exclude properties or modify values.
    • space (optional): A string or number used to add indentation (pretty-printing) to the output JSON string, making it easier to read.

    Example:

    Basic Example:

    // JavaScript object
let person = {
  name: "John",
  age: 30,
  city: "New York"
};

// Convert the JavaScript object to a JSON string
let jsonString = JSON.stringify(person);

console.log(jsonString);
// Output: {"name":"John","age":30,"city":"New York"}

    Example with Pretty-Printing:

    If you want the resulting JSON string to be formatted in a more readable way with indentation, you can use the space argument.

    let person = {
  name: "John",
  age: 30,
  city: "New York"
};

// Convert to JSON with indentation (2 spaces)
let jsonString = JSON.stringify(person, null, 2);

console.log(jsonString);
/*
Output:
{
  "name": "John",
  "age": 30,
  "city": "New York"
}
*/

    Example with replacer:

    You can use the replacer argument to filter which properties should be included in the JSON output. You can pass either a function or an array of keys to include.

    • Using a function as a replacer:

      let person = {
  name: "John",
  age: 30,
  city: "New York"
};

let jsonString = JSON.stringify(person, function(key, value) {
  // Exclude the "age" property
  if (key === "age") {
    return undefined;
  }
  return value;
});

console.log(jsonString);
// Output: {"name":"John","city":"New York"}

    • Using an array as a replacer:

      let person = {
  name: "John",
  age: 30,
  city: "New York"
};

let jsonString = JSON.stringify(person, ["name", "city"]);

console.log(jsonString);
// Output: {"name":"John","city":"New York"}

    Key Points:

    • JSON.stringify() is used to convert a JavaScript object to a JSON string.
    • By default, JSON.stringify() converts all properties of an object to a JSON string.
    • You can optionally format the output for better readability by using the space parameter.
    • You can use the replacer parameter to control which properties are included or excluded and to transform the values during the conversion process.

    Limitations:

    • Functions and undefined values: JavaScript functions, undefined, and certain special values like Symbol are not included in JSON output (they are either omitted or replaced with null).

      let obj = {
  name: "John",
  greet: function() { return "Hello"; },
  age: undefined
};

let jsonString = JSON.stringify(obj);

console.log(jsonString);
// Output: {"name":"John","age":null}

    • Circular references: If the object contains circular references (e.g., objects referencing themselves), JSON.stringify() will throw a TypeError.

      let obj = {};
obj.self = obj;

try {
  let jsonString = JSON.stringify(obj);
} catch (e) {
  console.log(e);  // TypeError: Converting circular structure to JSON
}

    To handle circular references, you can use a custom replacer function that detects and removes them.

    By using JSON.stringify(), you can easily convert JavaScript objects into JSON format, which is commonly used for data exchange, storage, and transmission in web applications.

    Read More

    If you can’t get enough from this article, Aihirely has plenty more related information, such as JSON interview questions, JSON interview experiences, and details about various JSON job positions. Click here to check it out.

    Tags
    Share

    Related Posts

    Trace Job opportunities

    Hirely, your exclusive interview companion, empowers your competence and facilitates your interviews.

    Get Started Now