JSON Hijacking:

The website responds with some HTML containing some JavaScript along with a script tag. When the browser sees the script tag, it makes another GET request back to the vulnerable site to load the script, sending the auth cookie along.

This makes more sense.  I'd always wondered why people were concerned about Javascript exploits.  If you have FireBug open, what can't you do with Javascript?  It's essentially a completely open source, open data situation.  The best security you can use is obfuscation, and that's not really security at all.

Turns out people are getting all upset about stuff that should really never happen in apps I [help] write.

1.) You have to be dealing with sensitive information
2.) The user has to succumb to some social engineering.
3.) You allow cross-site access to json that requires sensitive information to access.

It's that "to access" part that's really the kicker.  If you're reading a cookie to produce the JSON, the hole is there, not necessarily in the JSON itself.

So if someone has a cookie to their bank stored on their browser, gets tricked into going to a spoof website (or just hits a website that's spoofing), and you allow cross-site scripting, then and only then are you potentially in trouble.

In a sense, duh.  In another sense, "Oh."  You'd have to go out of your way to create a problem, but apparently, at least briefly, even Twitter did.

Labels: , ,