JSON XSRF Attacks

Welcome to another episode of Cross Site Request Forgery Attacks on DEVILS BLOG ON SECURITY. In this post we will discus a little about JSON hacking. Now you might have question why we haven't covered JSON XSRF attacks along with other XSRF attacks. This question is little difficult to answer but here's my explanation. All other XSRF attacks usually depend on session management attacks in one or another way, directly or indirectly XSRF attacks can be called as derivative obtained by adding and integrating Session Management Attacks, Frame Injection Flaws and Cross Site Scripting whereas the case is little different in JSON XSRF attacks. Many professionals even object inclusion of JSON attack as XSRF attack but we have nothing to do with it. So lets see how JSON XSRF attacks are different from other XSRF attacks.

Read More

JSON XSRF Attacks

In our last post on JSON XSRF attacks we saw some basics about XSRF attacks. So now in this section we will have our look on how to find and exploit JSON vulnerability for attack. As told in previous post JSON vulnerability exists when JSON data transfer format is used instead of standard XML data transfer format and that happens only in AJAX based web applications so following are your steps to find out whether a site is vulnerable or not.

• If the web application is running on AJAX then check for response type of application for JSON format or Java Script.
• Now determine whether a cross domain request can be made from it or not. If yes, check for transferred parameters, if they are same for each request or they are predictable then web application is vulnerable
  
  

Read More