Common Attack Pattern Enumeration and Classification
A Community of Knowledge Resource for Building Secure Software
Attack Execution Flow
Gmail service was found to be vulnerable to a JSON Hijacking attack that enabled an attacker to get the contents of the victim's address book. An attacker could send an e-mail to the victim's Gmail account (which ensures that the victim is logged in to Gmail when he or she receives it) with a link to the attackers' malicious site. If the victim clicked on the link, a request (containing the victim's authenticated session cookie) would be sent to the Gmail servers to fetch the victim's address book. This functionality is typically used by the Gmail service to get this data on the fly so that the user can be provided a list of contacts from which to choose the recipient of the e-mail.
Skill or Knowledge Level: Medium
Once this attack pattern is developed and understood, creating an exploit is not very complex.
No specialized hardware resources are required. The attacker needs to have knowledge of the URLs that need to be accessed on the target system to request the JSON objects.
Examine the typical asynchronous requests and responses between an AJAX client and the server to see how JSON objects are requested and what is returned.
Ensure that server side code can differentiate between legitimate requests and forged requests. The solution is similar to protection against Cross Site Request Forger (CSRF), which is to use a hard to guess random nonce (that is unique to the victim's session with the server) that the attacker has no way of knowing (at least in the absence of other weaknesses). Each request from the client to the server should contain this nonce and the server should reject all requests that do not contain the nonce.
Make the URLs in the system used to retrieve JSON objects unpredictable and unique for each user session.
Ensure that a mechanism is in place for the server side code to differentiate between legitimate requests and forged requests
Ensure that URLs used to request server responses that pass the JSON objects back to the client are hard to guess and are unique per user session