JSON is one way of sending data between various components of an application using data which can be serialized, or turned into a series of key-value pairs. Some applications use this method to send data from the application to the browser.
How Can JSON Data Be Stolen or Compromised?
The problem comes about when this information is sensitive in nature. An attacker may build another site and create a page which includes the source of the JSON code asking the browser to consider it JavaScript, such as:
The attacking page can now include some additional JavaScript to read this JSON response, and send the data to the attacker. Code such as the following will turn the JSON response into an array, then read the response for further action.
The final step of this attack is to convince the targeted user to visit this attacking site while logged into mysite. If the user is logged in to mysite, then her credentials will be sent by the browser along with the JSON data request, and the attacker will be able to view the secret information. Users can be tricked into doing this in a variety of ways, from simply visiting a forum post where the attacker has posted, to viewing blog comments, or even directly clicking on an infected link.
Finally, a summary of the attack:
How Secure is Data Passed with JSON?
The vast majority of JSON use will not be affected by this, as most of the data being passed by JSON is not considered to be critical user data. Additionally, newer browsers, including Firefox 3 and above, and IE8 and above have blocked common methods of using this attack, limiting the impact.
However, it may be possible for an attacking site to steal sensitive data from a user if that data is passed via JSON, so you should consider preventing this from occurring in the first place, even if non-critical data is being passed.
How to Prevent Data Theft When Using JSON Data Feeds
The most simple solution is to convert all data JSON requests to POST instead of GET requests. This will prevent another site from being to pull the data using a script src="" tag in their site.
Alternately, you can use unique values to determine that the request for the data actually came from your own site. For instance, in the GET request, you can request unique data which is different for every session, and also store that data in the user's authentication cookie.
For example, the following PHP form uses a GET request to submit a data request, and a unique value, called a nonce, is placed in the request and cookie information.
The first page (form or submit page, where a user would take the action)
The page where the action is performed, after a user clicks a button.
How Can JSON Data Be Stolen or Compromised?
The problem comes about when this information is sensitive in nature. An attacker may build another site and create a page which includes the source of the JSON code asking the browser to consider it JavaScript, such as:
Kod:
<script src="http://www.mysite.com/secret-data.json" type="text/javascript"></script>The attacking page can now include some additional JavaScript to read this JSON response, and send the data to the attacker. Code such as the following will turn the JSON response into an array, then read the response for further action.
Kod:
<script type="text/javascript"> var json_data; Array=function() { json_data=this;}; //turns JSON into an array! </script> <script src="http://www.mysite.com/secret-data.json" type="text/javascript"></script> <script type="text/javascript"> Var i=0; While(json_data[i++]){ Alert("Found secret data! "+json_data[i]; } </script>The final step of this attack is to convince the targeted user to visit this attacking site while logged into mysite. If the user is logged in to mysite, then her credentials will be sent by the browser along with the JSON data request, and the attacker will be able to view the secret information. Users can be tricked into doing this in a variety of ways, from simply visiting a forum post where the attacker has posted, to viewing blog comments, or even directly clicking on an infected link.
Finally, a summary of the attack:
- A website is designed to return some sensitive data as JSON
- An attacker creates a special site which turns the JSON into JavaScript, then sends the data to the attacker
- User logs into target site as an authenticated user
- Attacker convinces the user to visit their special site while logged in to the target site. Perhaps by sending a link via email or posting in a favorite message board.
- Data is compromised.
How Secure is Data Passed with JSON?
The vast majority of JSON use will not be affected by this, as most of the data being passed by JSON is not considered to be critical user data. Additionally, newer browsers, including Firefox 3 and above, and IE8 and above have blocked common methods of using this attack, limiting the impact.
However, it may be possible for an attacking site to steal sensitive data from a user if that data is passed via JSON, so you should consider preventing this from occurring in the first place, even if non-critical data is being passed.
How to Prevent Data Theft When Using JSON Data Feeds
The most simple solution is to convert all data JSON requests to POST instead of GET requests. This will prevent another site from being to pull the data using a script src="" tag in their site.
Alternately, you can use unique values to determine that the request for the data actually came from your own site. For instance, in the GET request, you can request unique data which is different for every session, and also store that data in the user's authentication cookie.
For example, the following PHP form uses a GET request to submit a data request, and a unique value, called a nonce, is placed in the request and cookie information.
The first page (form or submit page, where a user would take the action)
Kod:
<?php //start the user session (set session cookie) session_start(); //generate nonce - this nonce will be used for this session only, using random values and the time $nonce=hash("md5",rand().time().rand()); echo "<br />Nonce: ". $nonce. "<br />"; $_SESSION[ 'nonce']= $nonce; ?>
Kod:
<!-- Now create the form, and include the same nonce we generated above--> <form name= "do_some_action" action= "completeAction.php" method= "POST"> <input type= "hidden" name= "nonce" value="<? php echo $nonce?>"/> <input type= "submit" value= "do Action"/> </form>The page where the action is performed, after a user clicks a button.
Kod:
<?php //start session session_start(); //get the POST nonce $post_nonce=$_POST[ 'nonce']; //get the session nonce $session_nonce=$_SESSION[ 'nonce']; //make sure to validate the post input to prevent other types of attacks! Not shown here for brevity if( $post_nonce=== $session_nonce) echo "Request is safe!"; else echo "Data might be stolen!"; ?>
