Web security/penetration test--31--Json hijacking/Json injection

1, vulnerability description:

JSON(JavaScript Object Notation) is a lightweight data exchange format. Easy for people to read and write. At the same time, it is also easy to parse and generate. This kind of plain text data interaction method can be used naturally in the browser. Therefore, with the development of ajax and web services, various large-scale websites have been used, including Yahoo, Google, Tencent, Baidu, etc., currently banks use this method to achieve data interaction. However, if this kind of interaction is used to transmit sensitive data, and there is not much security control when transmitting, it will lead to security vulnerabilities. According to different sensitive information, the application will be attacked by different levels.

2, detection conditions:

Know the web site application interaction using json data exchange or transmission.

3, detection method

By analyzing the data interaction in the application, we can often find out the leakage of sensitive information. The usual methods include crawling the interaction of the application and viewing the sensitive data inside. If there is no security control during the transmission, you can find such a vulnerability. The main hazard is that some data-sensitive applications can cause more serious attacks. For data-insensitive or even third-party open applications, such problems are basically not a security issue. By using javascript hijacking in third-party domains. The way we can steal sensitive data. The general exploit code form is as follows:

<script> function wooyun_callback(a){alert(a);} </script>  
<script src="http://www.xxx.com/userdata.php?callback=wooyun_callback"></script>

4, repair scheme

Try to avoid cross-domain data transmission, use xmlhttp as the data acquisition method for the same domain data transmission, relying on javascript in the browser domain Security protection data. If the data is transmitted across domains, the sensitive data must be authenticated. The specific methods may include:

1, the source limit of the referer, and the unforgeability of the front-end referer to protect the application source of the requested data. In a credible place, this approach is sparse and completely dependent on the referer, and in some cases (such as the presence of xss) may result in being bypassed.

2, the addition of token, strictly speaking, the use of javascript hijacking to obtain data is a kind of CSRF, but compared to the traditional CSRF can not get data can only be submitted, this way can use javascript Get some sensitive information. If we can make the attacker unknown to the interface, we can achieve the defense of json hijacking. The token is used to authenticate the identity of the caller. This method requires less effort on the identity of the caller, but in the event of xss, the front-end token may be leaked, resulting in protection failure.

3. For the json usage of the same domain, you can add the while(1) in the output header of the data to avoid data being scripted.