I am quite confused while understanding these two vulnerabilities. How are JSONP-related vulnerabilities different from JSON Hijacking?
1 Answers
Is JSON Hijacking different than JSONP injection?
Yes, they are different attacks. While JSON hijacking is a threat from the past that's now eliminated in all major browsers, JSONP injection remains a security threat to web applications. Both attacks have in common that their goal is to read a JSON response from an untrusted origin.
JSONP Injection
With JSONP (JSON with padding), an application deliberately provides a JSON response inside a function callback (or sometimes as an assignment), most often to overcome cross-origin boundaries.
E.g., the site https://example.com/mySecrets?callback=saveSecrets
might return some "secrets" of the currently logged-in user, with the response looking like this:
saveSecrets({"userSecrets": [123, 456, 789]})
In this case, an attacker can define their own callback function (saveSecrets
) and include the document as an external script to exfiltrate the secrets of the current user, along the lines of:
<script>
function saveSecrets(secrets) {
alert(secrets);
}
</script>
<script src="https://example.com/mySecrets?callback=saveSecrets"></script>
(There are many other JSONP attack scenarios. You can find more of them with detailed explanations here.)
JSON Hijacking
JSON hijacking follows the same idea of exfiltrating a JSON response. But in this case, the application does not provide a convenient callback function. Instead, the attack relies on modifying native JS objects. Fortunately, this is not possible anymore in current browsers.
The text-book example is JSON inside an Array, e.g.:
[{"userSecrets": [123, 456, 789]}]
Years ago, when browsers allowed scripts to re-define native JS Objects, the way to extract the secrets was by defining your own Array
constructor or hijacking the Object prototype with e.g. Object.__defineSetter__
and then referencing the URL as an external script, similar to the JSONP example above.
(You can read more about JSON hijacking in this blog post or my response here.)
- 43,922
- 13
- 140
- 136