Of course, this particular caching issue isn’t a problem if you’re Implement caching and that the user can’t override that accidentally. Point you’re trusting that the browser and all proxy servers correctly You could try setting No-Cache headers, but at that In that case, when the browser makes the GET requestįor the script, the request might get fulfilled from the browser cache Request for that JSON in which case it may well be cached in the user’sīrowser or in some proxy server in between the victim’s browser and the That at some point in the past, the user may have made a legitimate GET The problem with this (as a couple of co-workers pointed out to me) is
Most client libraries send one or the other of these headers, but aīrowser’s GET request in response to a script tag would not. GET request?” I too thought this might be a great mitigation because Some of you might be wondering, “why not have the JSON service check forĪ special header such as the X-Requested-With: XMLHttpRequest orĬontent-Type: application/json before serving it up in response to a Methods, making the “d” fix kind of awkward. With ASP.NET MVC (and other similar frameworks), a significant number ofĭevelopers are not using client generated proxies (we don’t have them)īut instead using jQuery and other such libraries to call into these The end-user doesn’t need to know it was ever there.
Generated client proxies for these services strip the “d” property so While it might seem odd to have to go through this property to getĪccess to your data, this awkwardness is eased by the fact that the Object with the “d” property as I wrote about a while Into this JSON service, you need to make sure you issue a POST requestĪSP.NET and WCF JSON service endpoints actually wrap their JSON in an ForĮxample, $.getJSON issues a GET request by default. JQuery request JSON using a GET request by default, not POST. One issue with this approach is that many JavaScript libraries such as Suppose the Vulnerable Website returns JSON with sensitive data via an Note that the following demonstration is not specific to ASP.NET orĪSP.NET MVC in any way, I just happen to be using ASP.NET
ANGULAR 2 JSON EDITOR DOWNLOAD
You can download and run) which demonstrates this attack.
ANGULAR 2 JSON EDITOR CODE
To gain a deeper understanding, it may help to see actual code (which This loads the JSON array asĮxecutable JavaScript and now the bad guy has access to this data. The JSON containing sensitive information using the browser’sĬredentials (aka the auth cookie). The bad guy has tricked the victim’s browser to issue a request for When the browser sees the script tag, it makesĪnother GET request back to the vulnerable site to load the script, The website responds with some HTML containing some JavaScript along When the victimĬlicks on the link, the next two steps happen in quick succession.įirst, the victim’s browser makes a request for the bad guy’s website. The victim with an email promising a hilariously funny video of aīut the link actually points to the bad guy’s website. Vulnerable site issues an authentication cookie, which the browser holdsĪt some point, either in the past, or the near future, the bad guy spams The unwitting victim logging into the vulnerable site, and the I’m terrible with Visio, but I thought I’d give it my best shot and try Vulnerable to this particular vulnerability (though there could be Thus if you never send sensitive data in JSON format, or you only send …the browser making the request supports the _defineSetter_.…the browser making the request has JavaScript enabled (very likely.This vulnerability requires that you are exposing a JSON service which… It has been demonstrated against Twitter in theīefore I go further, let me give you the punch line first in terms of It was brought to my attention recently by someone atĭemonstrated it at the Norwegian Developers Conference last week, though However, there’s another related exploit that seems to affect many moreīrowsers. Particular exploit involved overriding the JavaScript ArrayĬonstructor to disclose the payload of a JSON array, something which Which could result in the disclosure of sensitive information.
0 kommentar(er)
