Jsonp Explicated for Web Security Researcher

Introduction

JsonP is an abbreviation for Json with padding. JsonP It was created to enable cross-origin access to JavaScript and it operates as an exception to the same-origin policy, allowing cross-origin data access. It’s basically a way to get around SOP and access data. Originated from a cross.

Security Issue with JSONP

Data from another website can be accessed via JSONP. This allows you to retrieve personal information from a logged-in user. Other sites should not have access to data that is specific to a user or can only be accessed by an authenticated user. However, JSONP allows for a CSRF-style attack to access the data
The JSONP URL is included as a script on the attacker’s site. If the user is authenticated, the browser executes the request and sends cookies along with it. The data for the authenticated user will be returned via the JSONP, which the attacker’s site can view. The attacker’s site performs an authenticated request using the user’s current session.

Working Mechanism of JsonP Attack

Let’s see how it works here. As you can see, we directly placed an APi endpoint and script tag with a callback, Function set. The callback function instructs the end point to fetch data in JsonP Wrapped format, and it will send the response data to the callback function. In this case, callme function will get executed, and that function can access to data. So if the api endpoint is misconfigure, then we can use JsonP to steal data cross site.

<html>

<body>
<h2>JSONP AttackPOC</h2>
<p id="demo"></p>

<script>
function Callme(test) {
    console.log(test);
  document.getElementById("demo").innerHTML = test;
}
</script>

<script src="https://api.target.com/me?callback=Callme"></script>

</body>
</html>

Requirements to Perform JSONP Attack

1: Determine whether the given API endpoint is a cookie-based endpoint.

2: Second check is made to ensure that the request does not contain any CSRF tokens or Authorization tokens.

3: Third, assign callback equal to a some function and check if it returns json wrap data. Then we can develop Js programmes and steal data across multiple sites with ease.’

Performing attack

We already seen how to find the JSONP endpoint. Now we’ll look at how it can be used to steal data across multiple sites.

Check if the endpoint is vulnerable to JSON.P. So what I’ll do is I’ll just open API URL in tab

Image
After Opening the the URL, I’ll append the callback function after the end of URL, so the parameter value is reflected

Determine whether the supplied API endpoint is a cookie-based endpoint. And, as we’ve already established, this is a cookie-based endpoint. As a result, it authenticates with a login token. As a result, when we visit it directly, it returns data. Make sure there aren’t any CSRF tokens.

We don’t send any tokens in this request, hence there is no CSRF method or tokens to guard against CSRF. So let’s create some third-party callback functions. So I’ll just set the callback function to be the same as call me.

Image
Here it is clearly indicating the endpoint is vulnerable for JSONP attack

Now you can see that there is a JSON in the response. In the function Browser, JsonP wraps data. There’s a JSON object there, as you can see. As a result, we’ve established that JSON is correct.

We can steal data across the site because JsonP is enabled on the API. So, let’s see what we can do to get it. We can use the above code to extract the data of this page. As a result, attacker.com is browser. I’ve simply pasted the URL in some JavaScript code.

Image
So this is the API endpoint and I’m calling a callback function callme and here you can see access function and we have just logging the object received and I’m just printing the object. So after printing the data all of this data can be seen in dev console.

Takeaway

For Developers: One important takeaway is to avoid using JSONP. Given that browsers as far back as IE10 have CORS support, and even huge companies and my in-laws have long given up on IE9 (a browser released 10 years ago), it’s highly likely that you don’t need it anymore. (This isn’t to argue that all sites that utilise JSONP should rewrite; most have low-risk use cases that involve giving a user-agnostic answer that doesn’t expose sensitive information.

For Researcher: BigQuery might be a good place to start experimenting with HTTP Archive data. There are a number more search options that I didn’t cover in this piece, such as looking for sites that offer JSONP endpoints and marking some cookies as SameSite=None (meaning that any exploit found would more likely be exploitable cross-browser).

About Payatu

Payatu is a Research Focused, CERT-In impaneled Cybersecurity Consulting company specializing in security assessments of IoT product ecosystem, Web application & Network with a proven track record of securing applications and infrastructure for customers across 20+ countries

Subscribe to our Newsletter
Subscription Form
DOWNLOAD THE EBOOK

Fill in your details and get your copy of the ebook in few seconds

Ebook Download
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download ICS Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Cloud Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download IoT Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Code Review Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Red Team Assessment Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download AI/ML Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download DevSecOps Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Product Security Assessment Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download AI/ML Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download IoT Sample Report

Let’s make cyberspace secure together!

Requirements

Connect Now Form

What our clients are saying!

Trusted by