An attacker targets a system that uses JavaScript Object Notation (JSON) as a transport mechanism between the client and the server (common in Web 2.0 systems using AJAX) to steal possibly confidential information transmitted from the server back to the client inside the JSON object by taking advantage of the loophole in the browser's Same Origin Policy that does not prohibit JavaScript from one website to be included and executed in the context of another website.

How does a JSON Hijacking (aka JavaScript Hijacking) attack work?

It typically unfolds over 3 phases. It begins with: [Understand How to Request JSON Responses from the Target System] An attacker first explores the target system to understand what URLs need to be provided to it in order to retrieve JSON objects that contain information of interest to the attacker.

How do you prevent CAPEC-111?

Ensure that server side code can differentiate between legitimate requests and forged requests. The solution is similar to protection against Cross Site Request Forger (CSRF), which is to use a hard to guess random nonce (that is unique to the victim's session with the server) that the attacker has no way of knowing (at least in the absence of other weaknesses). Each request from the client to the server should contain this nonce and the server should reject all requests that do not contain the nonce.

What weaknesses does CAPEC-111 target?

CAPEC-111 exploits 3 CWE weaknesses, including CWE-345 (Insufficient Verification of Data Authenticity), CWE-346 (Origin Validation Error), CWE-352 (Cross-Site Request Forgery (CSRF)).

How severe is CAPEC-111?

MITRE rates CAPEC-111 as High severity with high likelihood of attack.

CAPEC-111: JSON Hijacking (aka JavaScript Hijacking)

An attacker gets the victim to visit their malicious page that contains a script tag whose source points to the vulnerable system with a URL that requests a response from the server containing a JSON object with possibly confidential information. The malicious page also contains malicious code to capture the JSON object returned by the server before any other processing on it can take place, typically by overriding the JavaScript function used to create new objects. This hook allows the malicious code to get access to the creation of each object and transmit the possibly sensitive contents of the captured JSON object to the attackers' server. There is nothing in the browser's security model to prevent the attackers' malicious JavaScript code (originating from attacker's domain) to set up an environment (as described above) to intercept a JSON object response (coming from the vulnerable target system's domain), read its contents and transmit to the attackers' controlled site. The same origin policy protects the domain object model (DOM), but not the JSON.

CAPEC-111: JSON Hijacking (aka JavaScript Hijacking)

Overview

How the attack works

What the attacker needs

Prerequisites

Skills required

Resources required

Consequences

How to mitigate it

Examples

Frequently asked questions

What is CAPEC-111?

How does a JSON Hijacking (aka JavaScript Hijacking) attack work?

How do you prevent CAPEC-111?

What weaknesses does CAPEC-111 target?

How severe is CAPEC-111?

References

Defend against CAPEC-111

Overview

How the attack works

What the attacker needs

Prerequisites

Skills required

Resources required

Consequences

How to mitigate it

Examples

Related weaknesses

Related attack patterns

Parent

Frequently asked questions

What is CAPEC-111?

How does a JSON Hijacking (aka JavaScript Hijacking) attack work?

How do you prevent CAPEC-111?

What weaknesses does CAPEC-111 target?

How severe is CAPEC-111?

References

Defend against CAPEC-111