III.1.3JSON Hijacking
Roberto Bifulco — Mon, 02/11/2008 - 15:06
JSON hijacking (sometimes called Javascript hijacking[15]) is an attack based on CSRF techniques. This attack uses the fact that JSON is a subset of JavaScript, so, if a service returns JSON strings as response, it is possible to assign this string to an object and to use this object from a third party page (the source page for the CSRF) to stole informations.
If a service returns a JSON object, this object is described the same as a Javascript object, and so, it is included in the page environment. If the attacker override the javascript's object constructor function, he can stole the informations included into the object.
This attack was used in the past to show a Gmail vulnerability, more detailed informations are in [17].
SOLUTION: because the attack is based on CSRF, avoiding CSRF corresponds to avoid JSON hijacking.
Anyway, including the JSON response into javascript code that makes the returned string unreadable if not elaborated is another way. For example, including the JSON response into “/* */”, that are comments symbols for JavaScript. The attacker's page, using CSRF, can't' modify the strings, and so, because this string for javaScript is comment, it is ignored and the data inside it can't be read by the attacker's code.
Saints Super Bowl Jersey
Saints Super Bowl Jersey (not verified) — Thu, 01/12/2012 - 02:09Saints Super Bowl Jersey
Drew Brees Jersey
Chris Ivory Jersey
Darren Sharper Jersey
Darren Sproles Jersey
Jimmy Graham Jersey
Mark Ingram Jersey
Marques Colston Jersey
Reggie Bush Jersey
Drew Brees Womens Jersey
Darren Sproles Womens Jersey
Jeremy Shockey Womens Jersey
Jimmy Graham Womens Jersey
Mark Ingram Womens Jersey
Marques Colston Womens Jersey
Reggie Bush Womens Jersey
Chris Ivory Youth Jersey
Darren Sharper Youth Jersey
Darren Sproles Youth Jersey
Drew Brees Youth Jersey
Jeremy Shockey Youth Jersey
Jimmy Graham Youth Jersey
Lance Moore Youth Jersey
Malcolm Jenkins Youth Jersey
Mark Ingram Youth Jersey
Reggie Bush Youth Jersey
Robert Meachem Youth Jersey
Tracy Porter Youth Jersey
Archie Manning Jersey
Bobby Hebert Jersey
Cameron Jordan Jersey
Chase Daniel Jersey
Deuce McAllister Jersey
Devery Henderson Jersey
Garrett Hartley Jersey
Jabari Greer Jersey
Jeremy Shockey Jersey
Jonathan Vilma Jersey
Lance Moore Jersey
Malcolm Jenkins Jersey
Mike Bell Jersey
Morten Andersen Jersey
Patrick Robinson Jersey
Pierre Thomas Jersey
Rickey Jackson Jersey
Robert Meachem Jersey
Roman Harper Jersey
Saints Customized Jersey
Scott Fujita Jersey
Sedrick Ellis Jersey
Tracy Porter Jersey
Giants Blue Jersey
Giants Blue Jersey (not verified) — Thu, 01/12/2012 - 02:08Giants Blue Jersey
Eli Manning Jersey
Tim Tebow Jersey
Von Miller Jersey
A.J. Green Jersey
Carson Palmer Jersey
Ahmad Bradshaw Jersey
Brandon Jacobs Jersey
Danny Clark Jersey
Hakeem Nicks Jersey
Harry Carson Jersey
Justin Tuck Jersey
Kenny Phillips Jersey
Kevin Boss Jersey
Lawrence Taylor Jersey
Mario Manningham Jersey
Mark Bavaro Jersey
Michael Strahan Jersey
Osi Umenyiora Jersey
Phil Simms Jersey
Plaxico Burress Jersey
Steve Smith Jersey
Tiki Barber Jersey
Champ Bailey Womens Jersey
John Elway Womens Jersey
Tim Tebow Womens Jersey
Von Miller Womens Jersey
Jay Cutler Youth Jersey
John Elway Youth Jersey
Tim Tebow Youth Jersey
Von Miller Youth Jersey
Brady Quinn Jersey
Brandon Lloyd Jersey
Brandon Marshall Jersey
Brian Dawkins Jersey
Champ Bailey Jersey
Demaryius Thomas Jersey
Dennis Smith Jersey
Eddie Royal Jersey
Elvis Dumervil Jersey
Eric Decker Jersey
Jake Plummer Jersey
Javon Walker Jersey
Jay Cutler Jersey
John Elway Jersey
John Lynch Jersey
Karl Mecklenburg Jersey
Knowshon Moreno Jersey
Kyle Orton Jersey
Ryan Clady Jersey
Selvin Young Jersey
Shannon Sharpe Jersey
Steve Atwater Jersey
Terrell Davis Jersey
Tim Tebow Jersey
Tom Jackson Jersey
Von Miller Jersey
Willis McGahee Jersey
49ers Red Jersey
49ers Red Jersey (not verified) — Thu, 01/12/2012 - 02:0749ers Red Jersey
Alex Smith Jersey
Frank Gore Jersey
Anthony Davis Jersey
Michael Crabtree Jersey
Vernon Davis Jersey
Patrick Willis Jersey
Deion Sanders Jersey
Brian Westbrook Jersey
Isaac Sopoaga Jersey
Jerry Rice Jersey
Joe Montana Jersey
Mike Iupati Jersey
Nate Clements Jersey
Nate Davis Jersey
Roger Craig Jersey
Ronnie Lott Jersey
Steve Young Jersey
Taylor Mays Jersey
nfl jerseys suppliers Fashion
Anonymous (not verified) — Mon, 01/02/2012 - 07:59nfl jerseys suppliers Fashion brand
wholesale coach bags the trend of fashion
coach outlet Don't miss the chance it's very good
coach outlet store comfortable with it
wholesale designer handbags well known great
coach handbags outlet attractive and reasonable price
cheap coach online shopping
coach outlet store may most likely need
coach handbag outlet A good thing
authentic nfl jerseys for sale fashion designed
cheap authentic nfl jerseys together with lifestyle
nfl jerseys
mostnfl (not verified) — Fri, 12/30/2011 - 14:16Tom Brady Jersey
Wes Welker Jersey
Chad Ochocinco Jersey
nfl jerseys
mostnfl (not verified) — Thu, 12/29/2011 - 09:33Ed Reed Jersey were in Heath Miller Jersey the age of James Harrison Jersey teams changing jersey Greg Jennings Jersey designs on a regular basis so you Emmitt Smith Jersey can plunk down Eli Manning Jersey your Pierre Thomas Jersey $150 every few years because your favorite team added a stripe or jersey piping.Calvin Johnson Jersey
miles marriage was christian
ugg boots uk (not verified) — Sat, 12/24/2011 - 08:35miles marriage was christian louboutin sale a sealed christian louboutin shoes letter christian louboutin boots closely linked. louboutin sale christian louboutin heels christian louboutin pumps in the next three years, they began t...
Post new comment