JSON Type Confusion

Medium+100 XPA08:2021 Software and Data Integrity FailuresCWE-502

Type ConfusionInput Validation

Scenario

Your payment endpoint parses a JSON body and immediately uses the `amount` field — trusting that JSON parsing enforces the type.

But JSON allows `amount` to be a string, null, or negative number. Without explicit type validation, a string like `'100; DROP TABLE orders'` can reach downstream SQL builders, and a negative amount can result in credits instead of charges.

Type confusion bugs are among the easiest to exploit — an attacker just changes the JSON value type. They've caused real-world payment bypasses and SQL injections at scale.

Your Tasks

After parsing the JSON string, validate that `amount` is a finite positive number.
Throw `'Invalid amount'` if `amount` is a string, null, negative, zero, or non-finite.
Return `{status: 'ok', charged: amount}` for valid inputs.

Examples

Example 1 — Exploit — string injection in amount field

processPayment('{"amount":"100; DROP TABLE"}')
// throws: 'Invalid amount'

Example 2 — Safe — valid decimal amount

processPayment('{"amount":99.99}')
// returns: {status:'ok', charged:99.99}

Constraints

›Throw exactly `'Invalid amount'`.
›Zero and negative values must be rejected.
›Infinity and NaN must be rejected.

Hint

References

https://owasp.org/www-project-top-ten/2021/A08_2021-Software_and_Data_Integrity_Failures https://cwe.mitre.org/data/definitions/502.html

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run