An attacker targets a system that uses JavaScript Object Notation (JSON) as a transport mechanism between the client and the server (common in Web 2.0 systems using AJAX) to steal possibly confidential information transmitted from the server back to the client inside the JSON object by taking advantage of the loophole in the browser's Same Origin Policy that does not prohibit JavaScript from one website to be included and executed in the context of another website.
Description
Attack Execution Flow
3
1
Step 1
Explore[Understand How to Request JSON Responses from the Target System] An attacker first explores the target system to understand what URLs need to be provided to it in order to retrieve JSON objects that contain information of interest to the attacker.
An attacker creates an account with the target system and observes requests and the corresponding JSON responses from the server. Understanding how to properly elicit responses from the server is crucial to the attackers' ability to craft the exploit.
AI Translation
[Comprendere come richiedere risposte JSON dal sistema target] Un attaccante esplora inizialmente il sistema target per capire quali URL devono essere forniti per recuperare oggetti JSON contenenti informazioni di interesse per l'attaccante.
Un attaccante crea un account sul sistema target e osserva le richieste e le risposte JSON corrispondenti dal server. Comprendere come ottenere correttamente risposte dal server è fondamentale per la capacità dell'attaccante di creare l'exploit.
Attack Techniques
-
An attacker creates an account with the target system and observes requests and the corresponding JSON responses from the server. Understanding how to properly elicit responses from the server is crucial to the attackers' ability to craft the exploit.
2
Step 2
Experiment[Craft a malicious website]The attacker crafts a malicious website to which they plan to lure the victim who is using the vulnerable target system. The malicious website does two things:
1. Contains a hook that intercepts incoming JSON objects, reads their contents and forwards the contents to the server controlled by the attacker (via a new XMLHttpRequest).
2. Uses the script tag with a URL in the source that requests a JSON object from the vulnerable target system. Once the JSON object is transmitted to the victim's browser, the malicious code (as described in step 1) intercepts that JSON object, steals its contents, and forwards to the attacker.
This attack step leverages the fact that the same origin policy in the browser does not protect JavaScript originating from one domain from setting up an environment to intercept and access JSON objects arriving from a completely different domain.
AI Translation
[Creare un sito web dannoso] L'attaccante crea un sito web dannoso a cui intende attirare la vittima che utilizza il sistema target vulnerabile. Il sito web dannoso svolge due funzioni:
1. Contiene un hook che intercetta gli oggetti JSON in arrivo, ne legge il contenuto e lo inoltra al server controllato dall'attaccante (tramite una nuova XMLHttpRequest).
2. Utilizza il tag script con un URL nel source che richiede un oggetto JSON dal sistema target vulnerabile. Una volta che l'oggetto JSON viene trasmesso al browser della vittima, il codice dannoso (come descritto nel passaggio 1) intercetta quell'oggetto JSON, ne ruba il contenuto e lo inoltra all'attaccante.
Questo passaggio dell'attacco sfrutta il fatto che la policy same origin nel browser non protegge il JavaScript proveniente da un dominio dall'allestire un ambiente per intercettare e accedere agli oggetti JSON in arrivo da un dominio completamente diverso.
3
Step 3
Exploit[Launch JSON hijack] An attacker lures the victim to the malicious website or leverages other means to get their malicious code executing in the victim's browser. Once that happens, the malicious code makes a request to the victim target system to retrieve a JSON object with sensitive information. The request includes the victim's session cookie if the victim is logged in.
An attacker employs a myriad of standard techniques to get the victim to visit their malicious site or by some other means get the attackers' malicious code executing in the victim's browser.
AI Translation
[Launch JSON hijack] Un attaccante induce la vittima a visitare il sito web malevolo o sfrutta altri mezzi per far eseguire il proprio codice dannoso nel browser della vittima. Una volta che ciò avviene, il codice malevolo effettua una richiesta al sistema target della vittima per recuperare un oggetto JSON contenente informazioni sensibili. La richiesta include il cookie di sessione della vittima se questa è autenticata.
Un attaccante impiega una moltitudine di tecniche standard per indurre la vittima a visitare il proprio sito malevolo o, tramite altri mezzi, far eseguire il proprio codice dannoso nel browser della vittima.
Attack Techniques
-
An attacker employs a myriad of standard techniques to get the victim to visit their malicious site or by some other means get the attackers' malicious code executing in the victim's browser.
Mitigations
4
Ensure That Server Side Code Can Differentiate Between Legitimate Requests And Forged Requests. The Solution Is Similar To Protection Against Cross Site Request Forger (Csrf), Which Is To Use A Hard To Guess Random Nonce (That Is Unique To The Victim'S Session With The Server) That The Attacker Has No Way Of Knowing (At Least In The Absence Of Other Weaknesses). Each Request From The Client To The Server Should Contain This Nonce And The Server Should Reject All Requests That Do Not Contain The Nonce.
Ensure That To The Extent Possible, No Sensitive Data Is Passed From The Server To The Client Via Json Objects. Javascript Was Never Intended To Play That Role, Hence The Same Origin Policy Does Not Adequate Address This Scenario.
Make The Urls In The System Used To Retrieve Json Objects Unpredictable And Unique For Each User Session.
On The Client Side, The System'S Design Could Make It Difficult To Get Access To The Json Object Content Via The Script Tag. Since The Json Object Is Never Assigned Locally To A Variable, It Cannot Be Readily Modified By The Attacker Before Being Used By A Script Tag. For Instance, If While(1) Was Added To The Beginning Of The Javascript Returned By The Server, Trying To Access It With A Script Tag Would Result In An Infinite Loop. On The Other Hand, Legitimate Client Side Code Can Remove The While(1) Statement After Which The Javascript Can Be Evaluated. A Similar Result Can Be Achieved By Surrounding The Returned Javascript With Comment Tags, Or Using Other Similar Techniques (E.G. Wrapping The Javascript With Html Tags).
Consequences
Security Scopes Affected
Confidentiality
Potential Impacts
Read Data
Relationships
Parent CAPECs
Resources Required
1
None: No specialized resources are required to execute this type of attack.