💉Tutorial 31: NFT JSON and XSS injection

Book an audit with Zokyo

Introduction to JSON Injection Vulnerabilities in tokenURI Functions

In Solidity-based protocols, the tokenURI function is commonly used to return metadata for non-fungible tokens (NFTs). This metadata is often formatted as JSON, containing important information such as the token's name, description, and image. However, improperly handling user input or failing to sanitize data can expose smart contracts to JSON injection vulnerabilities. These vulnerabilities allow malicious actors to manipulate the JSON data structure, potentially leading to security breaches such as identity spoofing, cross-site scripting (XSS) attacks, or misleading data representation.

This section will explore how these vulnerabilities arise and detail the risks associated with improper handling of JSON in smart contracts, especially in systems that rely on user-generated content or third-party applications.