Json hijacking does not work

Question

I have patched my site to prevent JSON hijacking. During this process, I was interested to see if I could actually exploit this vulnerability.

So I created a foo.html, added a script tag which source attribute referenced my site which I was logged into. I was unable to exploit the vulnerability. I took a look at the network traffic, and I could not see my authentication cookie being passed in the request.

Does this mean that most browsers have fixed the vulnerability? Is there some table that will let me know which browsers have fixed it? Or have I completely misunderstood the vulnerability?

https://capec.mitre.org/data/definitions/111.html

Which browser are you using to test this with? Latest Chrome version? Is foo.html on another site? — Sjoerd, Feb 26 '20 at 08:33
Tried with latest chrome, ff and ie11. foo.html is stored locally on my desktop :) — HelloWorld, Feb 26 '20 at 08:52

score 2 · Answer 1 · answered Feb 26 '20 at 08:45

Does this mean that most browsers have fixed the vulnerability?

Yes, this vulnerability was fixed in all browsers about ten years ago. According to John Resig, the JavaScript specification was modified and the behaviour at least in Firefox was changed so that constructors can't be overridden to steal data.

Is there some table that will let me know which browsers have fixed it?

Generally, no. For some features CanIUse shows which browsers have implemented things. The Chrome Status site is useful to see the state of features in Chrome.

I could not see my authentication cookie being passed in the request.

I would expect the cookie to be present. Perhaps you are testing this with the latest Chrome, which is more careful with sending cookies to other sites.

Authentication cookie was not present in latest chrome, ff, nor ie11 — HelloWorld, Feb 26 '20 at 08:53

Json hijacking does not work

1 Answers1