JSON Hijacking Demystified

JavaScript Object Notation (JSON) is alanguage and platform independent format for data interchange. JSON is inwidespread use with a number of JSON parsers and libraries available fordifferent languages. While some information is available for JSON hijackingthis attack is not very well understood.

JSON Hijacking as the name suggests is anattack similar to Cross-Site Request Forgery where an attacker can access cross-domainsensitive JSON data from applications that return sensitive data as arrayliterals to GET requests. An example of a JSON call returning an array literalis shown below:

[{"id":"1001","ccnum":"4111111111111111","balance":"2345.15"},{"id":"1002","ccnum":"5555555555554444","balance":"10345.00"},{"id":"1003","ccnum":"5105105105105100","balance":"6250.50"}]

This attack can be achieved in 3 major steps:

  • Step 1: Get an authenticated userto visit a malicious page.
  • Step 2: The malicious page willtry and access sensitive data from the application that the user is logged into.This can be done by embedding a script tag in an HTML page since thesame-origin policy does not apply to script tags.
    <script src="http://<jsonsite>/json_server.php"></script>
    • The browserwill make a GET request to json_server.php and any authentication cookies ofthe user will be sent along with the request.
    • Step 3: At this point while themalicious site has executed the script it does not have access to any sensitivedata. Getting access to the data can be achieved by using an object prototypesetter. In the code below an object prototypes property is being bound to the definedfunction when an attempt is being made to set the "ccnum" property.

    Object.prototype.__defineSetter__('ccnum',function(obj){

    secrets =secrets.concat(" ", obj);

    });

    • At this point the malicious sitehas successfully hijacked the sensitive financial data (ccnum) returned byjson_server.php

    JSON

    It should be noted that not allbrowsers support this method; the proof of concept was done on Firefox 3.x.This method has now been deprecated and replaced by the useObject.defineProperty There isalso a variation of this attack that should work on all browsers where fullnamed JavaScript (e.g. pi=3.14159) is returned instead of a JSON array.

    There are several ways in which JSONHijacking can be prevented:

    • Since SCRIPT tags can onlygenerate HTTP GET requests, only return JSON objects to POST requests.
    • Prevent the web browser frominterpreting the JSON object as valid JavaScript code.
    • Implement Cross-Site RequestForgery protection by requiring that a predefined random value be required forall JSON requests.

    Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.