JSONP Hijacking

ID

go.jsonp_hijacking

Severity

high

Resource

Information Leak

Language

Go

Tags

CWE:359, NIST.SP.800-53, OWASP:2021:A1, PCI-DSS:6.5.1

Description

JSONP is a commonly used technology that allows for cross-domain requests. However, it is inherently not secure for transmitting sensitive information due to its lack of origin verification and potential vulnerability to cross-site scripting attacks.

Rationale

JSONP is designed to bypass the same-origin policy by using script tags to fetch resources from different origins. This is often used for legitimate cross-domain communication, but it inherently lacks origin validation.

Consider this simple example:

package jsonp_hijacking

import (
	"time"
	"net/http"

	"github.com/labstack/echo"
	"github.com/labstack/echo/middleware"
)

func main() {
	e := echo.New()
	e.Use(middleware.Logger())
	e.Use(middleware.Recover())

	// JSONP Endpoint
	e.GET("/jsonp", func(c echo.Context) error {
		callback := c.QueryParam("callback")
		if callback == "" {
			return c.JSON(http.StatusBadRequest, map[string]string{"error": "callback parameter is required"})
		}

		var data struct {
			User      string    `json:"user"`
			SSN       string    `json:"ssn"`
		}
		data.User = "Elon"
		data.SSN = "42137139612" // Sensitive Information

		return c.JSONP(http.StatusOK, callback, &data) // FLAW: Transmitting sensitive data via JSONP
	})

	// Start server
	e.Logger.Fatal(e.Start(":1323"))
}

The endpoint transmits a user’s name and SSN, which is sensitive information, over JSONP.

Remediation

  1. Avoid Using JSONP: Whenever possible, avoid using JSONP. Prefer safer alternatives such as CORS (Cross-Origin Resource Sharing) which provides better control over cross-domain requests.

  2. Validate Callback Parameters: If JSONP is necessary, strictly validate the callback parameter to ensure it conforms to expected patterns. Avoid using arbitrary strings.

  3. Use POST Requests: Consider requiring POST requests with proper tokens (e.g., CSRF tokens) to better authenticate the source of the request.

  4. Content-Type Enforcement: Set restrictive content types and ensure the data being sent is appropriate for the context to minimize misuse.

  5. Regular Security Audits: Regularly audit your endpoints for potential vulnerabilities and keep up with security best practices.

By implementing these practices, you can mitigate the risks associated with JSONP vulnerabilities and protect your applications from unauthorized access and data leaks.

Configuration

The detector has the following configurable parameters:

  • sensitiveKinds, the sensitive data kinds that are going to be reported by this detector.

  • sources, that indicates the source kinds to check.

  • neutralizations, that indicates the neutralization kinds to check.

Unless you need to change the default behavior, you typically do not need to configure this detector

References

  • CWE-359 : Exposure of Private Personal Information to an Unauthorized Actor.