JSON Hijacking

Introduction

JSON Hijacking as the name suggests is anattack similar to Cross-Site Request Forgery where an attacker can access cross-domainsensitive JSON data from applications that return sensitive data as arrayliterals to GET requests.

Details

Within the http://dvws.local/passphrasegen.html, area, a request is made to get passphrase generated by a particular user. This request can be seen below.

It is possible to steal this information due to the following reason:

• Data is returned with the Content Type being Content-Type: application/json (No charset specified)
• Data is returned inside [] array
• No authentication is needed to make the above request (Access Control Issue)

Note: JSON Hijacking has been remediated in most modern browsers

References

• https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/json-hijacking-demystified/
• https://portswigger.net/research/json-hijacking-for-the-modern-web
• https://www.websecgeeks.com/2016/04/json-hijacking.html