JSONP Injection

medium Web App Scanning Plugin ID 112805

Language:

Synopsis

JSONP Injection

Description

JSONP (JSON with Padding) is a JavaScript technique that allows you to query data from a server without worrying about cross-domain issues by using the tag scripts rather than the XMLHttpRequest object and thus not worrying about the browser's same-origin-policy restrictions. Due to the nature of JSONP not to apply origin control, depending on the server's response to the request, this feature can be abused by an attacker to steal sensitive information from the user and in some cases, also lead to arbitrary JavaScript code execution (Cross-Site Scripting).

Solution

It is not recommended to use JSONP for sensitive endpoints because JSONP is designated by default to bypass the same-origin-policy. It is better to use the CORS mechanism with a strict control on the origin of the request.

See Also

https://securitycafe.ro/2017/01/18/practical-jsonp-injection/

Plugin Details

Severity: Medium

ID: 112805

Type: remote

Family: Injection

Published: 6/14/2021

Updated: 9/6/2023

Scan Template: api, full, pci, scan

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: Tenable

CVSS v3

Risk Factor: High

Base Score: 7.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

CVSS Score Source: Tenable

CVSS v4

Risk Factor: Medium

Base Score: 5.1

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L

CVSS Score Source: Tenable

Reference Information

CWE: 829

OWASP: 2010-A6, 2013-A5, 2017-A6, 2021-A8

WASC: Application Misconfiguration

CAPEC: 175, 201, 228, 251, 252, 253, 263, 549, 660

DISA STIG: APSC-DV-002630

HIPAA: 164.306(a)(1), 164.306(a)(2)

ISO: 27001-A.14.2.5

NIST: sp800_53-SI-10(5)

OWASP API: 2019-API7, 2023-API8

OWASP ASVS: 4.0.2-12.3.6

PCI-DSS: 3.2-6.5.8