Kingdom: Input Validation and Representation
Input validation and representation problems ares caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input. The issues include: "Buffer Overflows," "Cross-Site Scripting" attacks, "SQL Injection," and many others.
Same-Origin Method Execution
Abstract
The application reflects a user-controllable parameter as the JavaScript callback function to be executed by the browser that might enable an attacker to execute arbitrary JavaScript functions on any pages on the same endpoint's domain.
Explanation
The application uses a parameter under the attacker's control as the name of a JavaScript function that the browser will execute. An attacker may create a malicious site which first frames a target page on the same application's domain and then references the vulnerable page in order to execute an arbitrary JavaScript function on the target page. The impact of this attack is similar to the impact of Cross-Site Scripting, though there are some important exploitation restrictions. If alphanumeric and dot characters are allowed to be used as the callback name, the attacker will be able to reference and interact with the elements of the page.
Example 1: The following code constructs a JSONP response where the callback function name can be controlled by the user.
For a request such as
The attacker can use a JavaScript
Example 1: The following code constructs a JSONP response where the callback function name can be controlled by the user.
@ControllerAdvice
public class JsonpAdvice extends AbstractJsonpResponseBodyAdvice {
public JsonpAdvice() {
super("callback");
}
}
For a request such as
GET /api/latest.json?callback=myCallbackFunction, the controller method will generate a response such as:
HTTP/1.1 200 Ok
Content-Type: application/json; charset=utf-8
Date: Tue, 12 Dec 2017 16:16:04 GMT
Server: nginx/1.12.1
Content-Length: 225
Connection: Close
myCallbackFunction({<json>})
The attacker can use a JavaScript
Script tag to load the response from the JSONP endpoint, which will turn into the execution of the myCallbackFunction function. An attacker could use a different callback name to navigate and interact with the DOM. For example opener.document.body.someElemnt.firstChild.nextElementSibling.submit could be used to locate a form in the target page and submit it.References
[1] Ben Hayak Same Origin Method Execution (SOME)
desc.semantic.java.same_origin_method_execution
Abstract
The application reflects a user-controllable parameter as the JavaScript callback function to be executed by the browser that might enable an attacker to execute arbitrary JavaScript functions on any pages on the same endpoint's domain.
Explanation
The application uses a parameter under the attacker's control as the name of a JavaScript function that the browser will execute. An attacker may create a malicious site which first frames a target page on the same application's domain and then references the vulnerable page in order to execute an arbitrary JavaScript function on the target page. The impact of this attack is similar to the impact of Cross-Site Scripting, though there are some important exploitation restrictions. If alphanumeric and dot characters are allowed to be used as the callback name, the attacker will be able to reference and interact with the elements of the page.
Example 1: The following code constructs a JSONP response where the callback function name can be controlled by the user.
For a request such as
The attacker can use a JavaScript
Example 1: The following code constructs a JSONP response where the callback function name can be controlled by the user.
def myJSONPService(callback: String) = Action {
val json = getJSONToBeReturned()
Ok(Jsonp(callback, json))
}
For a request such as
GET /api/latest.json?callback=myCallbackFunction, the controller method described in Example 1 will generate a response such as:
HTTP/1.1 200 Ok
Content-Type: application/json; charset=utf-8
Date: Tue, 12 Dec 2017 16:16:04 GMT
Server: nginx/1.12.1
Content-Length: 225
Connection: Close
myCallbackFunction({<json>})
The attacker can use a JavaScript
Script tag to load the response from the JSONP endpoint, which will turn into the execution of the myCallbackFunction function. An attacker could use a different callback name to navigate and interact with the DOM. For example opener.document.body.someElemnt.firstChild.nextElementSibling.submit could be used to locate a form in the target page and submit it.References
[1] Ben Hayak Same Origin Method Execution (SOME)
desc.dataflow.scala.same_origin_method_execution