# Ruby _json pollution

{{#include ../../banners/hacktricks-training.md}}

Hii ni muhtasari kutoka kwenye posti [https://nastystereo.com/security/rails-_json-juggling-attack.html](https://nastystereo.com/security/rails-_json-juggling-attack.html)

## Basic information

Wakati wa kutuma mwili, baadhi ya thamani zisizoweza kuhashiwa kama array zitaongezwa kwenye ufunguo mpya unaoitwa `_json`. Hata hivyo, inawezekana kwa mshambuliaji pia kuweka katika mwili thamani inayoitwa `_json` yenye thamani za kiholela anazotaka. Kisha, ikiwa backend kwa mfano inakagua ukweli wa parameter lakini pia inatumia parameter `_json` kufanya kitendo fulani, inaweza kufanyika kupita idhini.
```json
{
"id": 123,
"_json": [456, 789]
}
```
## Marejeleo

- [https://nastystereo.com/security/rails-_json-juggling-attack.html](https://nastystereo.com/security/rails-_json-juggling-attack.html)

{{#include ../../banners/hacktricks-training.md}}