4

I am quite confused while understanding these two vulnerabilities. How are JSONP-related vulnerabilities different from JSON Hijacking?

Arminius
  • 43,922
  • 13
  • 140
  • 136
PenGeek
  • 189
  • 1
  • 11
  • JSON hijacking is long dead, an issue in FF1.5 with Array constructors on non-jsonp non-cors responses. JSONP injection is where you're too generous with the allowed callback names, not sanitizing them enough. – dandavis Sep 19 '17 at 19:30

1 Answers1

7

Is JSON Hijacking different than JSONP injection?

Yes, they are different attacks. While JSON hijacking is a threat from the past that's now eliminated in all major browsers, JSONP injection remains a security threat to web applications. Both attacks have in common that their goal is to read a JSON response from an untrusted origin.

JSONP Injection

With JSONP (JSON with padding), an application deliberately provides a JSON response inside a function callback (or sometimes as an assignment), most often to overcome cross-origin boundaries.

E.g., the site https://example.com/mySecrets?callback=saveSecrets might return some "secrets" of the currently logged-in user, with the response looking like this:

saveSecrets({"userSecrets": [123, 456, 789]})

In this case, an attacker can define their own callback function (saveSecrets) and include the document as an external script to exfiltrate the secrets of the current user, along the lines of:

<script>
function saveSecrets(secrets) {
    alert(secrets);
}
</script>
<script src="https://example.com/mySecrets?callback=saveSecrets"></script>

(There are many other JSONP attack scenarios. You can find more of them with detailed explanations here.)

JSON Hijacking

JSON hijacking follows the same idea of exfiltrating a JSON response. But in this case, the application does not provide a convenient callback function. Instead, the attack relies on modifying native JS objects. Fortunately, this is not possible anymore in current browsers.

The text-book example is JSON inside an Array, e.g.:

[{"userSecrets": [123, 456, 789]}]

Years ago, when browsers allowed scripts to re-define native JS Objects, the way to extract the secrets was by defining your own Array constructor or hijacking the Object prototype with e.g. Object.__defineSetter__ and then referencing the URL as an external script, similar to the JSONP example above.

(You can read more about JSON hijacking in this blog post or my response here.)

Arminius
  • 43,922
  • 13
  • 140
  • 136