Thursday, June 6, 2013

JSON Hijacking

I was trying to understand spiderlabs blog post and decided the following.

<script>

// create an object
var obj1 = { 'aaa' : 'value1' };
alert('obj1.aaa = '+obj1.aaa);

// define a setter for all objects
// this sytnax only works in old browsers (probably due to this attack)
var attack = "";
Object.prototype.__defineSetter__('aaa',function(val){ attack += val; });

// create an object thus invoking the malicious setter
var obj2 = { 'aaa' : 'value2' };
alert('obj2.aaa = '+obj2.aaa);
alert('attack = '+attack);

// this is legal syntax, it basically creates an unnamed object
[ { 'aaa' : 'value3' } ]
alert('attack = '+attack);

/*
// this is not legal syntax, your browser will barf
{ 'aaa' : 'value4' }
alert('attack = '+attack);
*/

</script>

So what we have so far is that [ { 'aaa' : 'value3' } ] processed as javascript can cause 'value3' to be the input to an arbitrary function (in older browsers). In this context the attack described by spiderlabs makes sense.

  1. you happen to browse to attack.com while logged into good.com
  2. the attack.com page contains <script src="http://good.com/urlReturnsJson"></script>
  3. thus your browser peforms a GET to good.com dutifly submitting good.com authentication cookies
  4. since good.com is not wise to JSON hijacking it returns [ { 'aaa' : 'value3' } ]
  5. the browser expects that to be javascript and attempts to execute it
  6. since the attack.com page has earlier exectued __defineSetter__ that json snipit executes the attacker's code with the data from good.com thus giving it to the attacker

Conclusion: also json should be of the form {...}

web
{ "loggedin": false, "owner": false, "avatar": "", "render": "nothing", "trackingID": "UA-36983794-1", "description": "", "page": { "blogIds": [ 425 ] }, "domain": "holtstrom.com", "base": "\/michael", "url": "https:\/\/holtstrom.com\/michael\/", "frameworkFiles": "https:\/\/holtstrom.com\/michael\/_framework\/_files.4\/", "commonFiles": "https:\/\/holtstrom.com\/michael\/_common\/_files.3\/", "mediaFiles": "https:\/\/holtstrom.com\/michael\/media\/_files.3\/", "tmdbUrl": "http:\/\/www.themoviedb.org\/", "tmdbPoster": "http:\/\/image.tmdb.org\/t\/p\/w342" }