Shulou(Shulou.com)05/31 Report--

JSONP hijacking discovery process is how, I believe that many people do not have experience in this helpless, this article summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

0x01 Preface

Record the discovery process of a JSONP hijacking and some thoughts, and share with you, progress together

0x02 Found

Get suspicious urls by crawling pages

xxx.xxx.xxx.com/recom? appkey=xxx&adspot=xxx&max_behot_time=0&max_count=5&tag=0&columns=0&callback=uarJsonCa

llback See callback function here

According to the url name, we can basically infer that this service should push some data to the target station, where the master station obtains the data and then backfills it to the page. We can carefully observe the url of this get request.

There are appkey,adspot,max_behot_time,max_count,tag,columns and callback, the most striking of which is the method of concatenation behind the callback parameter, which is very obvious.

The following is returned by modifying the observation data:

1. Modify appkey value, the returned data has changed, but this API should be mainly used to push hot spot data, I can get the return without passing this value, this value may be meaningless

2. Change the adspot value, I got an error return

At the same time, I guess that different adspot values correspond to data pushed to different target sites according to this value. This value is mandatory and equivalent to the key value.

3. Modifying max_behot_time results in the same result as modifying appkey, which may also represent a rule restriction but does not affect the service return.

4. Modify the max_count value The number of data returned by the service will change. When it is modified to a certain number, the data will not change. It is speculated that the hot data every day should be taken from the data pool. The size of the pool is fixed, so what is reflected here is that the data will not change.

5. Modify the columns value data corresponding to the change, presumably its meaning may be the number of pages pagination

6.callback parameter, here it is obvious to use the jsonp function to call the corresponding service to do data filling by writing callback function on the page

0x03 Verification

Write a function named callback after the pass parameter

Get the corresponding data (here is only the number of rows of data obtained for demonstration)

Jsonp itself is not a vulnerability, it is just a very compatible cross-domain communication method, so when is it considered a vulnerability? When the data returned by jsonp is user-sensitive data, and the jsonp test is not strict enough to be exploited externally, it can be called jsonp sensitive information disclosure vulnerability.

After reading the above content, do you know how to discover the JSONP hijacking process? If you still want to learn more skills or want to know more related content, welcome to pay attention to the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.