1, Vulnerability description:

JSON(JavaScript Object
Notation) Is a lightweight data exchange format. Easy to read and write. It is also easy for machine analysis and generation, This kind of pure text data interaction can be naturally used in browsers. So withajax andweb The development of business has been greatly developed, All kinds of large websites are starting to use, IncludeYahoo,Google,Tencent,Baidu Wait, At present, banks use this method to realize data interaction.. But if this kind of interaction is used to transfer sensitive data,, And if there is not too much security control during transmission, it will lead to security vulnerability. According to the different sensitive information, the application will suffer from different levels of attack.

2, Testing conditions:

KnownWeb Interactive adoption of website applicationjson Data exchange or transmission of.

3, test method


Analyze data interaction in application through packet capturing, We can often detect the leakage of sensitive information.. Common ways include, Grab application interaction, View sensitive data inside, If there is no security control at the time of transmission, We can find such a vulnerability.. The main harm is that some data sensitive applications will cause serious attacks, Not sensitive to data or even open to third parties, This kind of problem is not a security problem. By using in a third-party domainjavascript
hijacking We can steal sensitive data.. Generalexploit The code form is as follows:
<script> function wooyun_callback(a){alert(a);} </script> <script src=
"http://www.xxx.com/userdata.php?callback=wooyun_callback"> </script>
4, Restoration plan


Try to avoid cross domain data transfer, For data transmission in the same domainxmlhttp As a way of data acquisition, Depend onjavascript Security protection data in browser domain. If it is cross domain data transmission, Authority authentication must be done for sensitive data acquisition, Specific methods can include:


1,referer Source restrictions for, Using front-endreferer To ensure that the application of the request data comes from the trusted place, In this way, the strength is relatively weak. Completely dependent onreferer, In some cases( If existxss) May cause to be bypassed.

2,token Join in, Strictly speaking, Such utilizationjavascript
hijacking The way to get data isCSRF A kind of, But compared with the traditionalCSRF Can't get data only for submission, This way to usejavascript You can get some sensitive information.. If we can make the attacker unknown to the interface,, Can be realizedjson
hijacking Defense.. utilizetoken Authenticate the identity of the caller, In this way, the identity of the caller is required to be more detailed. But once it appearsxss Can also lead to front endToken Leakage, Which leads to protection failure..

3, For the same domainjson In use, It can be added in the output header of data.while(1); To avoid data beingscript.