JSON Hijacking vulnerability in JSONP and Its Relationship with csrf/xss Vulnerability

Source: Internet
Author: User
Tags to domain

JSON Hijacking vulnerability in JSONP and Its Relationship with csrf/xss Vulnerability

I have been exposed to the so-called JSON Hijacking vulnerability during my internship, but recently I found that I did not understand it very well. It seems that I have some differences and connections with xss and csrf.

In-depth study of JSONP (JSON with Padding ).

 

The following passage is taken from: www.bkjia.com.

 

Say you're on domain abc.com, and you want to make a request to domain xyz.com. To do so, you need to cross domain boundaries, a no-no in most of browserland.

The one item that bypasses this limitation is <script> tags. when you use a script tag, the domain limitation is ignored, but under normal circumstances, you can't really DO anything with the results, the script just gets evaluated.

| R |

| R | Enter JSONP. when you make your request to a server that is JSONP enabled, you pass a special parameter that tells the server a little bit about your page. that way, the server is able to nicely wrap up its response in a way that your page can handle.

| R |

| R | For example, say the server expects a parameter called callback to enable its JSONP capabilities. Then your request wowould look like:

| R |
http://www.xyz.com/sample.aspx?callback=mycallback|r|
| R |

| R | Without JSONP, this might return some basic JavaScript object, like so:

| R |
{ foo: 'bar' }|r|
| R |

| R | However, with JSONP, when the server has es the callback parameter, it wraps up the result a little differently, returning something like this:

| R |
mycallback({ foo: 'bar' });|r|
| R |

| R | As you can see, it will now invoke the method you specified. So, in your page, you define the callback function:

| R |
mycallback = function(data){|r|  alert(data.foo);|r|};|r|
| R |

| R | And now, when the script is loaded, it'll be evaluated, and your function will be executed. Voila, cross-domain requests!

| R |


| R |

| R |

Give a rough explanation. For example, there is such a section in abc.com <script src = http://www.xyz.com/sample.aspx? Callback = mycallback> </script>

Sample. aspx in xyz.com may be implemented as follows:

 

 

PHP Code
1
2
3
4
5
6
  Header ('content-Type: text/html; charset = UTF-8 ');
$ Callback = $ _ GET ['callback'];
$ Data = {foo: 'bar '};
Echo $ callback. (. $ data .);;
?>

 

The returned result of the src tag request is <script> mycallback ({foo: 'bar'}); </script>, that is, the mycallback function is executed.

{Foo: 'bar'} is passed as a parameter to facilitate the next operation. Callback is only a key and can also be written as jsonp. Of course, the key obtained by the server must be changed.

 

Here, for normal requests, jsonp has no security issues. However, for some cgi that expose sensitive information such as user IDs and nicknames in the login state, we can directly access

Www.bkjia.com although we have not implemented loginInfoCallback, but as mentioned above, the server will return

Back to loginInfoCallback ({ret:-1102321, data: {_ id: 1032412, _ nick: jnusimba}); of course, this is the situation where jnusimba has logged on to a.com on another tab in the browser.

. So the attack method is in a third-party site through the "<script | r | src = http://www.a.com/json.php? Mod = pay & func = openvip & callback = loginInfoCallback> </script>"

You can obtain the ID and nickname of the current user in the loginInfoCallback parameter of the function.

 

The preceding JSON Hijacking vulnerability can be considered as a csrf vulnerability, that is, csrf write-read. The basic principle is that the browser's session mechanism is used when a third-party site requests a.com.

The cookie related to a.com is also sent. In terms of defense, it is better to verify the form token on the refer/request, that is, it has a value that cannot be predicted by a third party.

 

For the php code on the server above, the returned {foo: 'bar'} does not carry the login state information, so there is no real risk. But I don't know if someone notices it doesn't. It returns the header

Content-Type: text/html; that is, the type setting is incorrect. It should be content-Type: text/javascript; it is set to html format, which may cause xss attacks, such as callback =

<Script> alert ('aaa') </script>, that is, the browser will pop up the box (note that xss attacks may be restricted in High-version ie and chrome versions, test in firefox ).

The following example shows a youku site that was dug up in the previous 10 days because of the reflection xss vulnerability produced by jsonp. Today, access has been fixed again, but I cannot find the chain that my brother submitted to wooyun.

Then I cried ~.

 

If you want to play, you can see an example of http://lorrylockie.github.io/2015/01/27/jsonp-safe/ here, such:

Access the link http://login.koudai.com/weidian/sendCodeToBuyerPhone? Param = % 20 {% 22 telephone % 22: % 2218601662827% 22, % 22country_code % 22: % 2286% 22} & callback = % 3 Cscript % 3 Ealert % 28/xxs/% 29; % 3C/script % 3E % 3 Cdiv % 20 style = % 22font-size: 100px; % 22% 3 EKOU % 20DAI % 20 TONG % 20DA % 20SHA % 20B % 3C/div % 3E & ver = 1031

Note: professional quality is required for security. The original po owner has already submitted it to wooyun and pocket communication. It is not the responsibility of white hats if they are not repaired. Of course, do not spoof it.

 

 

The response header is html, which causes xss attacks. You can view the source code of the webpage and click OK to view the browser output:

From this we can also verify what we said above about the jsonp application, such as normal requests to access the http://login.koudai.com/weidian/sendCodeToBuyerPhone? Param = % 20 {% 22 telephone % 22: % 2218601662827% 22, % 22country_code % 22: % 2286% 22} & callback = mycallback & ver = 1031

We can guess whether the entered telephone value is verified on the server, and use the returned status_code to indicate whether the value is valid. Then, we can perform the next step as a parameter of mycallback.

For example, send the Verification Code if it is correct. If we change the number to 18601662826 for access, the returned result is

Mycallback ({status: {status_code: 0, status_reason :}}) based on conjecture, I think this number actually exists.

 

For this type of reflection xss vulnerability caused by jsonp, the response header should be set correctly. Second, the callback parameter should be filtered or encoded to avoid direct execution of js.

 

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.