Monday, July 9, 2012

JSON XSRF Attacks


In our last post on JSON XSRF attacks we saw some basics about XSRF attacks. So now in this section we will have our look on how to find and exploit JSON vulnerability for attack. As told in previous post JSON vulnerability exists when JSON data transfer format is used instead of standard XML data transfer format and that happens only in AJAX based web applications so following are your steps to find out whether a site is vulnerable or not.


  • If the web application is running on AJAX then check for response type of application for JSON format or Java Script.
  • Now determine whether a cross domain request can be made from it or not. If yes, check for transferred parameters, if they are same for each request or they are predictable then web application is vulnerable


Now a point of importance, JSON attacks can only be performed using HTTP GET method, that means if the application uses POST instead of GET then you have to check does it also supports GET method or not else you can't perform an attack.

Now its time to understand how to attack. A site vulnerable to XSRF attacks can only be exploited using Java Script. Now suppose after determining vulnerability you found that web application has 4 parameters out of which nearly all are either same or predictable. Then basically you can exploit web application using code which may appear as following,

<script>
function display (s)
{
alert(s);
}

function Array ()
{
for (var i=0 ; i<4 ; i++)
this[i] grab = display;
}
</script>
<script src= “http://example.com/someNavigation/data.json”></script>

For above example data is coming in JSON format from example{dot}com. As found earlier there are 4 parameters so we constructed an array object in which we defined variable grab to capture 4 parameters and send it to display function. Display function will just display the grabbed parameters. Note that this is just an example script the original code may vary depending upon the web application. Rather than displaying grabbed parameters you can also opt to write them somewhere for further reference. Now upload this script to your site and vector it your victim.

This post might be little tricky to understand for those who don't have any kinda experience in AJAX and Java Script but I hope most of you might understand it since I tried to keep it as simple as I can. So in next post to JSON XSRF attacks we will see its preventive measures till then thanks for reading, have nice time and keep visiting.

0 comments: