The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Because this mechanism is specifically designed to work around the

browser’s same origin restrictions, it can of course be abused by an attacker to

capture data returned from other domains. In the example shown, an attack

simply needs to implement the 

showContacts

function and include the target

script. For example:

Finding JSON Hijacking Vulnerabilities

Because JSON hijacking is a species of cross-site request forgery, some

instances of it can be identified using the same methodology as was described

for XSRF. However, because JSON hijacking allows you to retrieve arbitrary

data from another domain, and not only perform cross-domain actions, you

are interested in a different range of functionality than you are when probing

for standard XSRF flaws.

HACK STEPS

■

Download 5,76 Mb.

Do'stlaringiz bilan baham: