[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
- To: M Kirschbaum <pr0ix@xxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
- From: Michal Zalewski <lcamtuf@xxxxxxxxxxx>
- Date: Sat, 15 Mar 2014 09:46:27 -0700
> As a professional penetration tester, [...]
> The JSON service responds to GET requests , and there is a good chance that
> the service is also vulnerable to JSON Hijacking attacks.
That's... not how XSSI works.
To have a script inclusion vulnerability, you need to have a vanilla
GET response that contains some user-specific secrets that are
returned to the caller based on HTTP cookies (or, less likely, other
"ambient" credentials). For example, a script response that discloses
the contents of your mailbox or the list of private contacts would be
of concern.
Further, the response must be in a format that can be not only loaded,
but also inspected by another site opened in your browser; most types
of JSONP fall into this category, but JSON generally does not,
essentially because of how the meaning of "{" is overloaded in JS
depending on where it appears in a block of code.
Last but not least, the final piece of the puzzle is that the response
must be served at a URL that can be guessed by third parties who don't
have access to your account.
/mz
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/