Steal some JSON response by JSONP injection!!
Some websites depend on JSON to send requests and receive responses and this response can include an information about the logged in user and shouldn't be public to anyone now in this topic we will see how we can steal this data.
What is JSON?
JSON is a language but isn’t programing language but it’s a lightweight data-interchange format and we can use it to communication between different apps such as ( Android, IOS, Web,….).
Exploitation
Now some of JSON response is like that
In this case, if the response like that you are lucky we can dump this data by writing a small code using JS we will include this file in my page as a JS file in a script tag and we will create a function to dump data and the function name should be userInfo this is the exploitation you can see the code in the next image
and the response in my page here
Attacker page
This a useful way and the Basic there are more ways but I don’t want to make this topic Boring and long, I will talk about one last way to dump the data, there another way by adding this parameter callback to the JSON file if the files don’t have a function name to exploit by using it you can try to add the parameter like that
Now it looks like the above case and you should follow the old steps and done you will steal the data.
Thank you for reading I hope this topic help you with something.
Comments
Post a Comment