0

Question is when response type of request is coming as application/json and also there is not any kind of escaping/encoding implemented then is it possible to execute xss there? Changing file extension trick seems to be working till Internet Explorer 9 and all the researches on blogs are way older. Is anybody aware of trick to execute xss on latest IE versions like 10 & 11

Already read blogs like http://blog.watchfire.com/wfblog/2011/10/json-based-xss-exploitation.html. They are claiming to be worked till IE9

bhartay
  • 89
  • 1
  • 7
  • Bhartay - I see most of your questions have been closed. Please re-read [ask] and also search the site to see if your question has already been asked. – Rory Alsop Jan 15 '16 at 10:31

2 Answers2

1

XSS is still possible even in newer versions. But it depends how the JSON is used. The article you reference cares only about executing JSON by itself, i.e. accessing a JSON document via a link.

It does not discuss the case when you return JSON from an XHR request and then include the received data directly with document.write or even interpret it with eval. In this case of full trust in the validity of the JSON XSS is still a problem. No content-type sniffing will be done because the web application inside the browser knows what it should get and will interpret the content itself, i.e. not the browser will render the content.

XSS is also possible if the JSON is included with a script tag. In this case browsers accept (almost) all content types and no sniffing is done because again the browser knows already what the content should be from the context.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • How come it would be possible? If we are requesting resource/getting json data from resource then Access-Control-Allow-Origin header won't allow to get data from target site. Isn't it? – bhartay Jan 14 '16 at 08:40
  • @bhartay: Access-Control-Allow-Origin is only relevant for cross origin requests which might or not be the case in your question. The problem is - you ask a very broad question if XSS is possible based on content-type but cite only an example which shows XSS for a very specific use case. In other use cases XSS is still possible but I have no idea what your actual use case is. Setting content-type or setting nosniff does protect you against XSS only in specific use cases. – Steffen Ullrich Jan 14 '16 at 09:13
  • you said on your first reply that we can make XHR request and can load json data in doucment.write or whatever. That was my reply to it. If you are loading anything cross-domain then you won't be allowed(obviously) unless target allowed it(not possible). i agree on some scenarios it is possible when dev loads json response in html context but xhr method would work i doubt. – bhartay Jan 14 '16 at 12:46
  • @bhartay: [XHR](https://de.wikipedia.org/wiki/XMLHttpRequest) is the common shortcut for XMLHttpRequest, i.e. contrary to XSS or XSRF to X does not stand for cross. XHR is usually not done cross domain but can be done with CORS. – Steffen Ullrich Jan 14 '16 at 13:02
  • right,xhr is usually not done cross domain but in our scenario i.e. we are loading cross domain resource in our context(domain), It isn't possible. – bhartay Jan 14 '16 at 13:37
  • @bhartay: I see. Maybe you should add more about this kind of context to your question. – Steffen Ullrich Jan 14 '16 at 14:38
0

If the content is being specifically served with Content-type: application/json then I believe there is not currently a known way to execute script within the response. As you mentioned, it may be possible to manipulate the behavior of older content inspecting browsers based on the payload, unless the the content is being specifically served with x-content-type-options: nosniff, which disables the content sniffing features of older versions of Internet Explorer.

Jason Higgins
  • 647
  • 4
  • 8
  • if x-content-type-options: nosniff this isn't used and extension trick is working then is it possible to execute xss on latest IE? – bhartay Jan 13 '16 at 21:44
  • Not on latest IE (that is currently known). Only on older unpatched content inspecting browsers such as Internet Explorer 9 that you already mentioned. – Jason Higgins Jan 13 '16 at 21:46