DISQUS

Website
http://tav.espians.com/
Original page
http://tav.espians.com/sanitising-jsonp-callback-identifiers-for-security.html
Subscribe
All Comments
Community
Top Commenters
- stayce
  1 comment · 1 points
- Wybo_Wiersma
  1 comment · 1 points
- chenz
  1 comment · 1 points
- holgerkrekel
  1 comment · 1 points
- Philip Hofstetter
  2 comments · 2 points
Popular Threads
- Ciao Python, Hola Go!
  4 weeks ago · 7 comments

Asktav: Sanitising JSONP Callback Identifiers For Security

Philip Hofstetter · 3 months ago

the problem here is the fact that whatever you pass to friendfeed is again executed in the context of your page.

This means that the alert() you so "cleverly" injected runs in the context of the CALLERs page, so the document.cookies that are alerted are the cookies on the source page (the page where the friendfeed-page is sourced on), not of the target page (friendfeed).

This also means that friendfeed doesn't have to do sanitization because whatever you are "injecting" there you could as well just put on your page to begin with.

The real problem behind JSONP is that the consumer has to trust the provider and there is no way to do ANY sanitization of that (the moment you add that "script src=" you are toast and you need to do that because requesting the script via XHR for example isn't possible due to the same origin policy).

So while this might look like a nice idea, it's completely unneeded and doesn't solve the real problem, which is, unfortunately, insolvable.
tav · 3 months ago

Hey Philip,

You are right, the code is executed in the context of the CALLERs page. But that is the problem...

Imagine the scenario, where a client-side web application allows arbitrary data sources to be added... it's not too implausible a future where instead of adding RSS feeds to an RSS Reader, one adds JSON feeds to such an application...

In this context, if the user is tricked into adding a maliciously crafted URL, then everything from their identity to their data is accessible... not to mention being able to abuse the account to spread a worm even...

I believe the possibilities of using JSONP haven't been explored much yet, and for it to go further in the context of interesting mashups/applications, it's important that it not be a security hole...

Hope that makes sense!
Philip Hofstetter · 3 months ago

what you are describing is just the standard case of any XSS.

But there is no difference what so ever between

<script>alert(document.cookies)</script>

and

<script src="http://othersite.com/jsonp?callback=alert(document.cookies);foo">

while I agree that XSS must be avoided at all cost, this is not the job of the remote site. It's the job of the local site.

PS: let's hope my sample code goes through :-)
tav · 3 months ago

Thanks for the comment btw -- I've updated the article in response too. Cheers!
Simple Xsrf · 3 months ago

This is all that's required:

def is_valid_jsonp_callback_value(value): value.find('<') < 0

I cannot tell if your code does this or not.

Website

Original page

Subscribe

Community

Top Commenters

Popular Threads

Asktav: Sanitising JSONP Callback Identifiers For Security