Classification

Overview

Using JavaScript notation to transfer valuable data can be vulnerable to JavaScript hijacking attacks, which allows an attacker to read data of the vulnerable application.

JavaScript hijacking attacks allow to bypass Same Origin Policy, performing the JavaScript code from one site in the context of another. Even though a malicious site can not directly receive data that the vulnerable site transfers to the client, an attacker can use insufficient JavaScript code protection and watch its execution effects he/she is interested in. This is more typical for the Web 2.0 applications, which often use JavaScript to transfer data.

The most popular data transfer format in JavaScript is JSON (JavaScript Object Notation). JSON specification (JSON RFC) defines the syntax of JSON as a subset of JavaScript. JSON is based on two types of data structures: arrays and objects. Any data transfer protocol whose messages can be interpreted as a valid expression in JavaScript is subject to JavaScript hijacking attack. JSON facilitates the attacker’s task even more, since JavaScript array itself is a valid expression. Unlike arrays, objects are vulnerable to this attack only if they are wrapped in the other structure that is a valid expression.

References

1. OWASP Top 10 2017-A3-Sensitive Data Exposure
2. Is JSON Hijacking still an issue in modern browsers? - stackoverflow.com
3. CWE CATEGORY: OWASP Top Ten 2017 Category A6 - Security Misconfiguration
4. CWE-1034