Put the knife down and take a green herb, dude. (c) Ruffin Bailey 2001-2017

JSON Hijacking:

The website responds with some HTML containing some JavaScript along with a script tag. When the browser sees the script tag, it makes another GET request back to the vulnerable site to load the script, sending the auth cookie along.

This makes more sense. I'd always wondered why people were concerned about Javascript exploits. If you have FireBug open, what can't you do with Javascript? It's essentially a completely open source, open data situation. The best security you can use is obfuscation, and that's not really security at all.

Turns out people are getting all upset about stuff that should really never happen in apps I [help] write.

1.) You have to be dealing with sensitive information
2.) The user has to succumb to some social engineering.
3.) You allow cross-site access to json that requires sensitive information to access.

It's that "to access" part that's really the kicker. If you're reading a cookie to produce the JSON, the hole is there, not necessarily in the JSON itself.

So if someone has a cookie to their bank stored on their browser, gets tricked into going to a spoof website (or just hits a website that's spoofing), and you allow cross-site scripting, then and only then are you potentially in trouble.

In a sense, duh. In another sense, "Oh." You'd have to go out of your way to create a problem, but apparently, at least briefly, even Twitter did.

Labels: javascript, json, security

title: Put the knife down and take a green herb, dude.	descrip: One feller's views on the state of everyday computer science & its application (and now, OTHER STUFF) who isn't rich enough to shell out for www.myfreakinfirst-andlast-name.com Using 89% of the same design the blog had in 2001.
FOR ENTERTAINMENT PURPOSES ONLY!!! Back-up your data and, when you bike, always wear white.
x MarkUpDown is the best Markdown editor for professionals on Windows 10. It includes two-pane live preview, in-app uploads to imgur for image hosting, and MultiMarkdown table support. Features you won't find anywhere else include... MarkUpDown Multiline Table & Bootstrap Grid support. Beautiful Easy Actions that keep the Markdown flowing. HTML paste to paste HTML source into your documents. You've wasted more than $15 of your time looking for a great Markdown editor. Stop looking. MarkUpDown is the app you're looking for. Learn more or head over to the 'Store now!

Friday, May 10, 2013
JSON Hijacking from vintage Phil Haack JSON Hijacking: The website responds with some HTML containing some JavaScript along with a script tag. When the browser sees the script tag, it makes another GET request back to the vulnerable site to load the script, sending the auth cookie along. This makes more sense. I'd always wondered why people were concerned about Javascript exploits. If you have FireBug open, what can't you do with Javascript? It's essentially a completely open source, open data situation. The best security you can use is obfuscation, and that's not really security at all. Turns out people are getting all upset about stuff that should really never happen in apps I [help] write. 1.) You have to be dealing with sensitive information 2.) The user has to succumb to some social engineering. 3.) You allow cross-site access to json that requires sensitive information to access. It's that "to access" part that's really the kicker. If you're reading a cookie to produce the JSON, the hole is there, not necessarily in the JSON itself. So if someone has a cookie to their bank stored on their browser, gets tricked into going to a spoof website (or just hits a website that's spoofing), and you allow cross-site scripting, then and only then are you potentially in trouble. In a sense, duh. In another sense, "Oh." You'd have to go out of your way to create a problem, but apparently, at least briefly, even Twitter did. Labels: javascript, json, security posted by ruffin at 5/10/2013 11:47:00 AM
0 comments