Wednesday, January 22, 2025
Google search engine
HomeNewsJSON Hijacking

JSON Hijacking

JSON(JavaScript Object Notation)  denotes standard text-based-data format . It is widely used to provide a support mechanism between the server and the web application for the transmission of data. JSON Hijacking is a kind of network security attack. In this attack, an attacker targets a system that has access to cross-domain-sensitive JSON data. This attack is similar to Cross-Site Request Forgery holding some differences. In Cross-Site Request Forgery, the attacker forces the user to execute unwanted actions whereas in JSON Hijacking the user is manipulated to access a crafted link that will read the user’s data and pass it to the attacker.

Note: Older Browsers were more vulnerable to JSON Hijacking. As of now, this vulnerability has been fixed in modern Browsers. The users using modern browsers are almost safe.

Detection Methods:

  • The attacker gets an authenticated user to visit a malicious page to read their data.
  • From where we have logged in, the malicious page will try to access the sensitive data by embedding a script tag in an HTML document. i.e.

<script src=”http://<jsonsite>/abc.php”></script>

This code will run by the browser requesting a GET Request to abc.php and the sensitive data will be sent along with the request.

  • One should also be aware of whether the targeted application is compatible with older applications or not.
  • This should be checked if Access-Control-Allow-Origin is set to the domain or not. If not, We should set the Access-Control-Allow-Origin to the specific domain, by this JSON Hijacking is not possible.
  • Vulnerable JSON Responses should be avoided.
Json Hijacking

 

JSON Hijacking Prevention:

  • By returning JSON with an object on the outside: We can prevent JSON Hijacking by having the outside primitive be an object for JSON strings. Some examples are-

Vulnerable :

[{ “object” : ” ” }]  // Not inside an object, inside an array

Not Vulnerable :

{ “object” : ” ” }   // Inside an object

{ “object” :  [{ “object”:” “}]  //Inside an object

  • By Adding Access-Control-Allow-Origin:  To prevent JSON Hijacking, we can add Access-Control-Allow-Origin. With this addition, the attacker will lose control over our trusted domains.
  • By Preventing Ourselves from Using Older Browsers: One of the methods for preventing JSON Hijacking is that we can prevent ourselves from using older browsers by creating a mechanism in the application. This will prevent us from using our application from an older browser.
Whether you’re preparing for your first job interview or aiming to upskill in this ever-evolving tech landscape, lazyroar Courses are your key to success. We provide top-quality content at affordable prices, all geared towards accelerating your growth in a time-bound manner. Join the millions we’ve already empowered, and we’re here to do the same for you. Don’t miss out – check it out now!

Dominic Wardslaus
Dominic Wardslaushttp://wardslaus.com
infosec,malicious & dos attacks generator, boot rom exploit philanthropist , wild hacker , game developer,
RELATED ARTICLES

Most Popular

Recent Comments