Introduction
JsonP is an abbreviation for Json with padding. JsonP It was created to enable cross-origin access to JavaScript and it operates as an exception to the same-origin policy, allowing cross-origin data access. It’s basically a way to get around SOP and access data. Originated from a cross.
Security Issue with JSONP
Data from another website can be accessed via JSONP. This allows you to retrieve personal information from a logged-in user. Other sites should not have access to data that is specific to a user or can only be accessed by an authenticated user. However, JSONP allows for a CSRF-style attack to access the data
The JSONP URL is included as a script on the attacker’s site. If the user is authenticated, the browser executes the request and sends cookies along with it. The data for the authenticated user will be returned via the JSONP, which the attacker’s site can view. The attacker’s site performs an authenticated request using the user’s current session.
Working Mechanism of JsonP Attack
Let’s see how it works here. As you can see, we directly placed an APi endpoint and script tag with a callback, Function set. The callback function instructs the end point to fetch data in JsonP Wrapped format, and it will send the response data to the callback function. In this case, callme function will get executed, and that function can access to data. So if the api endpoint is misconfigure, then we can use JsonP to steal data cross site.
<html>
<body>
<h2>JSONP AttackPOC</h2>
<p id="demo"></p>
<script>
function Callme(test) {
console.log(test);
document.getElementById("demo").innerHTML = test;
}
</script>
<script src="https://api.target.com/me?callback=Callme"></script>
</body>
</html>Requirements to Perform JSONP Attack
1: Determine whether the given API endpoint is a cookie-based endpoint.
2: Second check is made to ensure that the request does not contain any CSRF tokens or Authorization tokens.
3: Third, assign callback equal to a some function and check if it returns json wrap data. Then we can develop Js programmes and steal data across multiple sites with ease.’
Performing attack
We already seen how to find the JSONP endpoint. Now we’ll look at how it can be used to steal data across multiple sites.
Check if the endpoint is vulnerable to JSON.P. So what I’ll do is I’ll just open API URL in tab
Determine whether the supplied API endpoint is a cookie-based endpoint. And, as we’ve already established, this is a cookie-based endpoint. As a result, it authenticates with a login token. As a result, when we visit it directly, it returns data. Make sure there aren’t any CSRF tokens.
We don’t send any tokens in this request, hence there is no CSRF method or tokens to guard against CSRF. So let’s create some third-party callback functions. So I’ll just set the callback function to be the same as call me.
Now you can see that there is a JSON in the response. In the function Browser, JsonP wraps data. There’s a JSON object there, as you can see. As a result, we’ve established that JSON is correct.
We can steal data across the site because JsonP is enabled on the API. So, let’s see what we can do to get it. We can use the above code to extract the data of this page. As a result, attacker.com is browser. I’ve simply pasted the URL in some JavaScript code.
Takeaway
For Developers: One important takeaway is to avoid using JSONP. Given that browsers as far back as IE10 have CORS support, and even huge companies and my in-laws have long given up on IE9 (a browser released 10 years ago), it’s highly likely that you don’t need it anymore. (This isn’t to argue that all sites that utilise JSONP should rewrite; most have low-risk use cases that involve giving a user-agnostic answer that doesn’t expose sensitive information.
For Researcher: BigQuery might be a good place to start experimenting with HTTP Archive data. There are a number more search options that I didn’t cover in this piece, such as looking for sites that offer JSONP endpoints and marking some cookies as SameSite=None (meaning that any exploit found would more likely be exploitable cross-browser).
About Payatu
Payatu is a Research Focused, CERT-In impaneled Cybersecurity Consulting company specializing in security assessments of IoT product ecosystem, Web application & Network with a proven track record of securing applications and infrastructure for customers across 20+ countries
