[Understand How to Request JSON Responses from the Target System] An attacker first explores the target system to understand what URLs need to be provided to it in order to retrieve JSON objects that contain information of interest to the attacker.
[Launch JSON hijack] An attacker lures the victim to the malicious website or leverages other means to get his malicious code executing in the victim's browser. Once that happens, the malicious code makes a request to the victim target system to retrieve a JSON object with sensitive information. The request includes the victim's session cookie if the victim is logged in.
JSON is used as a transport mechanism between the client and the server
The target server cannot differentiate real requests from forged requests
The JSON object returned from the server can be accessed by the attackers' malicious code via a script tag
Once this attack pattern is developed and understood, creating an exploit is not very complex.The attacker needs to have knowledge of the URLs that need to be accessed on the target system to request the JSON objects.
None: No specialized resources are required to execute this type of attack.
|C o n f i d e n t i a l i t y||Read Data|
Ensure that server side code can differentiate between legitimate requests and forged requests. The solution is similar to protection against Cross Site Request Forger (CSRF), which is to use a hard to guess random nonce (that is unique to the victim's session with the server) that the attacker has no way of knowing (at least in the absence of other weaknesses). Each request from the client to the server should contain this nonce and the server should reject all requests that do not contain the nonce.
Make the URLs in the system used to retrieve JSON objects unpredictable and unique for each user session.
Gmail service was found to be vulnerable to a JSON Hijacking attack that enabled an attacker to get the contents of the victim's address book. An attacker could send an e-mail to the victim's Gmail account (which ensures that the victim is logged in to Gmail when he or she receives it) with a link to the attackers' malicious site. If the victim clicked on the link, a request (containing the victim's authenticated session cookie) would be sent to the Gmail servers to fetch the victim's address book. This functionality is typically used by the Gmail service to get this data on the fly so that the user can be provided a list of contacts from which to choose the recipient of the e-mail.
2014-06-23 | CAPEC Content Team | The MITRE Corporation
2015-12-07 | CAPEC Content Team | The MITRE Corporation
2017-08-04 | CAPEC Content Team | The MITRE Corporation
Updated Attacker_Skills_or_Knowledge_Required, Resources_Required
2019-09-30 | CAPEC Content Team | The MITRE Corporation