First of all the string defracturing relates to fusing of two different strings and manipulate by joining together to form one large string that is used as malformed input.This exploiting factor comes to play as a result of a feature of JSON.what happens in this is that the JSON pass string as normal string through function toJSONString() function.The malicious attacker can easily inject script as:
0x01] Direct Injecting in which the string passed is the script only bu not any kind of desired string.
0x02] Indirect Injecting means the script is going to be fused with the string as encoded string so that it seems as generic string and the contents are not readable by any user or the security enhanced program.
This document is in PDF format. To view it click here.