JSON Hijacking as the name suggests is anattack similar to Cross-Site Request Forgery where an attacker can access cross-domainsensitive JSON data from applications that return sensitive data as arrayliterals to GET requests. An example of a JSON call returning an array literalis shown below:
This attack can be achieved in 3 major steps:
- Step 1: Get an authenticated userto visit a malicious page.
- Step 2: The malicious page willtry and access sensitive data from the application that the user is logged into.This can be done by embedding a script tag in an HTML page since thesame-origin policy does not apply to script tags.
- The browserwill make a GET request to json_server.php and any authentication cookies ofthe user will be sent along with the request.
- Step 3: At this point while themalicious site has executed the script it does not have access to any sensitivedata. Getting access to the data can be achieved by using an object prototypesetter. In the code below an object prototypes property is being bound to the definedfunction when an attempt is being made to set the "ccnum" property.
secrets =secrets.concat(" ", obj);
- At this point the malicious sitehas successfully hijacked the sensitive financial data (ccnum) returned byjson_server.php
There are several ways in which JSONHijacking can be prevented:
- Since SCRIPT tags can onlygenerate HTTP GET requests, only return JSON objects to POST requests.
- Implement Cross-Site RequestForgery protection by requiring that a predefined random value be required forall JSON requests.