Steal some JSON response by JSONP injection!!


Some websites depend on JSON to send requests and receive responses and this response can include an information about the logged in user and shouldn't be public to anyone now in this topic we will see how we can steal this data.

What is JSON?


JSON is a language but isn’t programing language but it’s a lightweight data-interchange format and we can use it to communication between different apps such as ( Android, IOS, Web,….).

Exploitation

Now some of JSON response is like that



In this case, if the response like that you are lucky we can dump this data by writing a small code using JS we will include this file in my page as a JS file in a script tag and we will create a function to dump data and the function name should be userInfo this is the exploitation you can see the code in the next image









and the response in my page here


Attacker page

This a useful way and the Basic there are more ways but I don’t want to make this topic Boring and long, I will talk about one last way to dump the data, there another way by adding this parameter callback to the JSON file if the files don’t have a function name to exploit by using it you can try to add the parameter like that






Now it looks like the above case and you should follow the old steps and done you will steal the data.
Thank you for reading I hope this topic help you with something.

Comments

Popular posts from this blog

HITB2018DXB Pre-Conf CTF | Write up

How to start on web applications security

Write-Up || Quals: Saudi and Oman CTF 2019 Web Challenges