Definition
JSON hijacking is a security weakness where a website leaks sensitive data in JSON format. The attacker exploits the JSONP’s cross-domain capabilities to hijack data with a malicious JavaScript code.
The JSON hijacking attack process involves creating a malicious website that lures the victim’s browser to request the target website. Then, the attacker’s JavaScript code is injected into the victim’s page, and the target website loads the JSON response as a JavaScript file. So, the attacker’s code accesses the JSON data to extract sensitive information.
Real-life Examples of JSON Hijacking
An example of a JSON hijacking involved social networking sites that leaked user data via JSNOP endpoints that lacked sufficient security measures. Hackers exploited this weakness to harvest user’s data and perform targeted phishing attacks.
How JSON Hijacking Works
JSON hijacking takes place using the following steps:
- A user sends a request to a malicious web application that places HTTP cookies on their device.
- The attacker uses social engineering to lure the user into clicking a link on the attacker’s website containing a script.
- When the user opens the link, a script automatically executes, requesting the hacker’s website.
- The hacker’s website sends the user’s browser an HTML containing JavaScript and a script tag.
- The browser makes a GET request to the target website using the cookies stored on the victim’s device.
- The malicious web server responds with a JSON full of private data.
- The hacker hijacks the JSON using malicious code by overriding JavaScript functions.
- The attacker can now access sensitive information from the victim’s computer.
JSON Hijacking Prevention Tips
- Implement strict content security policies to prevent external scripts from executing commands on your device.
- Avoid revealing personal information in JSON responses. You can protect your data with additional encryption and authentication mechanisms.
- Use input validation and output encoding to avoid injection attacks.
- Use anti-cross-site request forgery (CSRF) and strong session management strategies to avoid unauthorized requests.