Request a Consultation
We use cookies to enhance your experience of our website, save your preferences and provide us with information on how you use our website. For more information please read our Privacy Policy. By using our website without changing your browser settings you consent to our use of cookies.
Feb. 19, 2023 Leveraging JSONP to bypass cross-domain restrictions
5 minute read
Leveraging JSONP to bypass cross-domain restrictions

JSON with Padding, also known as JSONP, allows users to request data from another domain to interact with an application without implementing cross-domain policies. JSONP can bypass the cross-domain restriction by using a script tag instead of the traditional XMLHttpRequest object. The Certus Cybersecurity team created a proof of concept (“PoC”) application that demonstrates how an adversary can leverage custom HTML files to bypass cross-domain policy restrictions commonly known as cross-origin resource sharing (“CORS”) and extract data from other domains.

Data Leakage via JSONP Misconfiguration

To demonstrate PoC, Certus Cybersecurity created a vulnerable JSONP application called whoami. You can download the application code from GitHub Repository.

To bypass CORS, a malicious actor can leverage the script tag to embed Javascript that calls the victim's application or use an iframe i.e., an HTML element that loads another HTML page within the application. For example, an adversary can implement HTML code on their domain using the following script tag that calls a JSONP implemented at whoami’s URI:

<script src=”https://www.certuscyber.com/whoami/?callback=malicious”/>

The above callback parameter, a function that is passed to another function as a parameter, then simply displays the data from whoami on another page controlled by the adversary (JSONP.html). The adversary can then perform more nefarious activities, such as logging this information on a database or modifying the data.

function malicious(data){ document.write(JSON.stringify(data)); }

In the backend code (see below), the whoami URI returns the user's information. The user information is captured by the session cookie shared by an HTML page controlled by the adversary.

// show user info
app.get('/whoami', isAuthenticated, (re1, res) => {
console.log("[i] Served User Info")
return res.jsonp(users[0]);
});

The output the adversary can subsequently see is as follows, and clearly displays user-sensitive information such as username, password, phone number, email and home address:

{
id: 1,
username: 'johndoe',
password: '$2b$10$lq5kBLti.5p/Ziq6GmXVdeVr2mMJvyPvFk.zpiy.2F1ozVqTw18cu',
phone : '+91-0000000000',
role: 'admin',
email: "test@example.com",
balance: "$99,999,999",
address: "221B Baker Street, London",
}

How to Identify JSONP Misconfiguration

In order to identify JSONP misconfiguration in an application, check the conditions in the request and response headers. If any of the following conditions are present, then the application is vulnerable to JSONP:

  • The request method is GET.
  • The authentication mechanism is through the cookie header.
  • The callback function or `jsonp` GET parameter is present in the request header.
  • Apart from the default headers, the request should not have additional headers.
  • The response Content-Type header is `application/x-javascript` or `text/javascript`.
  • The response content has a function and data like Anything-Here-as-a-Function({JSON data}).

Tip: If the `callback` or `json` GET parameters are not present in the request, and the request and response match the above conditions, the JSONP-leveraged attack is still possible.

If the response Content-Type is set to `application/x-javascript` or `text/javascript`, the browser treats the content as JavaScript code and lets the application include it in the HTML If you are aware of a Content Delivery Network (CDN), developers use CDN Javascript files to make the application work. The same concept is used in JSONP to transfer the data without the Same Origin Policy (SOP) restrictions.

You might wonder why the response content should have FUNCTION({JSON data}). The application (in this case, whoami), could call that response’s function from its code and fetch the JSON data. As observed above, the browser lets the vulnerable application (whoami) use another application’s data in the requested application as JavaScript code, if the response’s Content-Type is set to `application/x-javascript` and `text/javascript`.

Mitigation against JSONP-leveraged attack

To avoid this JSONP-leveraged attack, Certus Cybersecurity recommends:

  • Checking the referer or origin headers on the server side with safelisted domains.
  • Using the HTML5 CORS mechanism to share the data instead of the JSONP mechanism.

About the Authors 

Farid Luhar is Security Engineer at Certus Cybersecurity. A product security thought leader and subject matter expert, Farid is responsible for technical delivery of mobile and web application penetration testing.

Contact Us
Ready to get started? Book a free consultation today, and we’ll write you back within 24 hours. For further inquiries, please submit the form at right. By submitting completed “Book a Free Consultation” form, your personal data will be processed by Certus Cybersecurity. Please read our Privacy Notice for more information.