CAPEC-111: JSON Hijacking (aka JavaScript Hijacking)

Description
An attacker targets a system that uses JavaScript Object Notation (JSON) as a transport mechanism between the client and the server (common in Web 2.0 systems using AJAX) to steal possibly confidential information transmitted from the server back to the client inside the JSON object by taking advantage of the loophole in the browser's Same Origin Policy that does not prohibit JavaScript from one website to be included and executed in the context of another website.
Extended Description

An attacker gets the victim to visit their malicious page that contains a script tag whose source points to the vulnerable system with a URL that requests a response from the server containing a JSON object with possibly confidential information. The malicious page also contains malicious code to capture the JSON object returned by the server before any other processing on it can take place, typically by overriding the JavaScript function used to create new objects. This hook allows the malicious code to get access to the creation of each object and transmit the possibly sensitive contents of the captured JSON object to the attackers' server.

There is nothing in the browser's security model to prevent the attackers' malicious JavaScript code (originating from attacker's domain) to set up an environment (as described above) to intercept a JSON object response (coming from the vulnerable target system's domain), read its contents and transmit to the attackers' controlled site. The same origin policy protects the domain object model (DOM), but not the JSON.

Severity :

High

Possibility :

High

Type :

Standard
Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-212: Functionality Misuse Functionality Misuse
Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • JSON is used as a transport mechanism between the client and the server
  • The target server cannot differentiate real requests from forged requests
  • The JSON object returned from the server can be accessed by the attackers' malicious code via a script tag
Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • Medium Once this attack pattern is developed and understood, creating an exploit is not very complex.The attacker needs to have knowledge of the URLs that need to be accessed on the target system to request the JSON objects.
Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

Resources required

None: No specialized resources are required to execute this type of attack.

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-345: Insufficient Verification of Data Authenticity

CWE-346: Origin Validation Error

CWE-352: Cross-Site Request Forgery (CSRF)

Visit http://capec.mitre.org/ for more details.