Xsser · 2012/12/28 then
0x00 Related Background
JSON(JavaScript Object Notation) is a lightweight data interchange format. Easy to read and write. It is also easy for machine parsing and generation. It is based on JavaScript Programming Language, a subset of Standard ECMA-262 3rd Edition – December 1999. JSON uses a completely language-independent text format, but also uses conventions similar to the C language family (C, C++, C#, Java, JavaScript, Perl, Python, etc.). These features make JSON an ideal data exchange language.
This pure text data interaction mode can be used naturally in the browser, so with the development of Ajax and Web business, a wide range of large websites began to use it, including Yahoo, Google, Tencent, Baidu and so on.
However, if this interaction is used to transmit sensitive data without much security control, it will lead to security vulnerabilities, and the application will be subject to different levels of attack according to the sensitive information.
0 x01 causes
JSON is a practical application of javascript. As an effective way of data transmission, the influence of javascript on cross-domain security policies in the browser must be taken into account when using it. Generally speaking, the following data is to be transmitted
$data=array("username"=>"wooyun",
"password"=>"wooyun"
);
Copy the code
There are two ways to transfer data when USING JSON:
XMLHTTP retrieves data:
{"username":"wooyun","password":"wooyun"}
Copy the code
When data is retrieved at the front end, the data acquirer and data provider belong to the same domain, such as www.wooyun.org, in the same trusted security zone. So you can use the XMLHTTP obtaining data, and then with XMLHTTP access to data into their own js logic such as eval () can also use other ways, this way can ensure that only data under the domain of reliable transmission, not (under the circumstances of the current browser) cause the data to a third party not credible.
Script Data acquisition method:
userinfo={"username":"wooyun","password":"wooyun"}
Copy the code
If the data transmitted is in two different domains, for example, for A large Internet company, the domain name A representing application A wants to obtain the data of the domain name B representing application B. Since the data cannot be obtained across domains in javascript, script labels are generally adopted to obtain data, and some callback is passed in to obtain the final data. For example, to obtain the above data can be used
<script src="http://www.wooyun.org/userdata.php?callback=userinfo"></script>
Copy the code
Because data is transferred between two completely different domains, a lack of effective control can result in data being leaked to third party programs.
0x02 Attack Modes and Hazards
By analyzing data interactions in applications, we can often find sensitive information leaks. Common ways to do this include grabbing app interactions and looking at sensitive data, which can be found if there are no security controls at the time of transmission.
The main danger is that some data-sensitive applications will cause serious attacks. For applications that are not sensitive to data or even open to third parties, such problems are not security issues. By using javascript hijacking, we can temporarily steal sensitive data by using third-party domains. The general exploit code form is as follows:
<script>
function wooyun_callback(a){
alert(a);
}
</script>
<script src="http://www.wooyun.org/userdata.php?callback=wooyun_callback"></script>
Copy the code
0x03 Actual Case
WooYun: QQMail email leak vulnerability
By constructing the URL for users to access, you can get the mailing list of QQ Mail. This vulnerability requires the sharing of email information in QQ Mail in web QQ, so QQ Mail opens a JSON interface to provide the domain name of a third party to obtain the information of QQ Mail. However, due to the lack of sufficient authentication, As a result, any third party domain can use script to retrieve the mailing list.
<script> var Qmail={}; </script> <script src="http://mail.qq.com/cgi-bin/login?fun=passport&target=MLIST&t=login.js&pagesize=10&resp_charset=gb2312&1=3"></script > <script> alert(Qmail.newMailsList.nextUrl); alert(document.scripts[1].src=Qmail.newMailsList.nextUrl); alert(Qmail.newMailsList.summary); </script>Copy the code
0x04 Recovery Plan
Avoid cross-domain data transfer, use XMLHTTP as the data retrieval method for same-domain data transfer, and rely on javascript security in the browser domain to protect data. For cross-domain data transmission, permission authentication must be performed on sensitive data acquisition. Specific methods include:
1. Source restriction of referer. The unforgability of front-end referer is used to ensure that the application of requested data comes from a trusted place. Strictly speaking, javascript hijacking means hijacking some sensitive information, unlike CSRF, which cannot take data but submits it. If we can make the interface unknown to attackers, we can implement JSON hijacking's defense. Using tokens to authenticate the identity of callers, this method has a relatively small requirement on the identity of callers, but once XSS appears, front-end tokens may also be disclosed, resulting in protection failure. 3. In the case of same-domain JSON, while(1) can be added in the output header of the data; This prevents data from being referenced by script tags, which can lead to data leaks in more sophisticated browsers.Copy the code
0x05 Other Security Problems
1 JSON Indicates the correct HTTP header output
0x06 Related Resources
http://www.json.org/json-zh.html