1, Vulnerability description :

JSON(JavaScript Object
Notation) Is a lightweight data exchange format . Easy to read and write . It is also easy to machine parse and generate , This kind of pure text data interaction mode can be used in the browser naturally , So with ajax and web Business development has been extensive development , All kinds of large websites have been used , include Yahoo,Google,Tencent,Baidu wait , At present, banks use this method to realize data interaction . But if this interaction is used to pass sensitive data , And when the transmission does not do too much security control, it will lead to security vulnerabilities , According to the different sensitive information, the application will suffer from different levels of attack .

2, Detection conditions :

Known Web Website application interaction json Data exchange or transmission .

3, test method


Analysis of data interaction in application by packet capture , We can often detect the leakage of sensitive information . Common methods include , Interaction of grabbing applications , View sensitive data inside , If there is no security control at the time of transmission , This kind of vulnerability can be found . The main harm is that some data sensitive applications will cause serious attacks , For applications that are not sensitive to data or even open to third parties , This kind of problem is basically not a security problem , By using in a third party domain javascript
hijacking We can steal sensitive data . General exploit The code form is as follows :
<script> function wooyun_callback(a){alert(a);} </script> <script src=
"http://www.xxx.com/userdata.php?callback=wooyun_callback"> </script>
4, Restoration plan


Try to avoid cross domain data transmission , For data transmission in the same domain xmlhttp As the way of data acquisition , Rely on javascript Security protection data in browser domain . If it's cross domain data transfer , It is necessary to do authority authentication for sensitive data acquisition , Specific ways can include :


1,referer Source restrictions , Using the front end referer To ensure that the application of the request data comes from a trusted place , This method is relatively weak , Completely dependent on referer, In some cases ( If it exists xss) May result in being bypassed .

2,token Join the , Strictly speaking , This use javascript
hijacking How to get the data is CSRF A kind of , But compared with the traditional CSRF Can't get data, can only submit , In this way javascript You can get some sensitive information . If we can make the attacker unknown about the interface , It can be realized json
hijacking The defense of . utilize token The identity of the caller , This approach requires less effort for the identity of the caller , But once it appears xss It can also lead to the front end Token Leakage of , This leads to protection failure .

3, For the same domain json In case of use , It can be added in the output header of the data while(1); To avoid data being script.