JSONP Injection

high Web Application Scanning Plugin ID 112805


JSONP Injection


JSONP (JSON with Padding) is a JavaScript technique that allows you to query data from a server without worrying about cross-domain issues by using the tag scripts rather than the XMLHttpRequest object and thus not worrying about the browser's same-origin-policy restrictions. Due to the nature of JSONP not to apply origin control, depending on the server's response to the request, this feature can be abused by an attacker to steal sensitive information from the user and in some cases, also lead to arbitrary JavaScript code execution (Cross-Site Scripting).


It is not recommended to use JSONP for sensitive endpoints because JSONP is designated by default to bypass the same-origin-policy. It is better to use the CORS mechanism with a strict control on the origin of the request.

See Also


Plugin Details

Severity: High

ID: 112805

Type: remote

Published: 6/14/2021

Updated: 11/26/2021

Scan Template: scan, pci, api

Risk Information


Risk Factor: Medium

Base Score: 6.8

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: Tenable


Risk Factor: High

Base Score: 7.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

CVSS Score Source: Tenable

Reference Information