Saturday, January 16, 2016

JSON Hijacking or JavaScript Hijacking


In JSON Hijacking or JavaScript Hijacking, an attacker exploits vulnerabilities in a browser and attacks a system that uses JSON or JavaScript Object Notation as a transport mechanism between the server and the client and steals sensitive data.

In this attack, the attacker accesses JSON data from applications that return sensitive data using JSON arrrays in a GET request.



How is JSON Hijacking attack done ?


When a user authenticates himself in a web server, the session is maintained with a HTTP cookie. And the cookie is placed in the user's computer. And later, when the browser sends any request to the webserver, the information in the cookies is used. In JSON Hijacking attack, the attacker tricks the user to send malicious request to the webserver and reveal sensitive data.


The following steps lead to a JSON Hijacking attack :

  • The user authenticates to a web application and HTTP cookies are placed in his computer.
  • The user clicks on a link that the attacker has already sent him. The link contains a script in the attacker's website. The attacker may use social engineering to convince the user to click on the link. For example, the attacker may send the user an email asking the user to click on the link to see some interesting pictures or videos.
  • The user clicks on the link and the script starts executing.
  • The attacker's website responds with an HTML containing JavaScript and a script tag.
  • The browser sees the script tag and makes another GET request to the vulnerable web application, and the browser uses the cookies placed in the user's computer.
  • Now, the attacker has tricked the victim's browser to issue a request for the JSON containing sensitive data using the authentication cookies.
  • This loads the JSON array as JavaScript and the attacker gets access to sensitive data.



What are the countermeasures for JSON Hijacking attack ?


There are some prevention mechanisms that can be taken to mitigate the attacks.

  • In JavaScript, use .innerText instead of .innerHTML. This will automatically encode the text. Use .innerHTML only when you are displaying HTML.
  • Do not use eval function. It is very much vulnerable.
  • Do not rely on client logic to ensure security.
  • Avoid writing serialization code.
  • Avoid building XML dynamically. Use an encoding library to make attributes and element data safe.
  • Use SSL/TLS and encrypt on the server, not on the client side code.
  • Always return JSON with an object on outside.
    For example : {"result": [{"object": "inside an array"}]}
  • Use framework to build XML, do not build XML by hand.


For more information on prevention mechanisms : https://www.owasp.org/index.php/OWASP_AJAX_Security_Guidelines




No comments:

Post a Comment