Framework: JSON Hijacking

Created on 9 Jul 2017 · 7Comments · Source: laravel/framework

Laravel Version: 5.4
PHP Version: 7.1.4

Description:

JSON responses using the json(array) method are susceptible to hijack via cross-site script inclusion due to charset definition. The root cause: Laravel responds with header 'Content-Type: application/json' without charset value. Supose an application that returns json responses with sensitive information in it. This behaviour must be connsidered a security vulnerability, also, is a good practice to include charset definitions by default in the content-type header.

Note

Recent versions of some browsers fixed this behaviour. But it still works when a part of the json response is user controlled.

Further reading about JSON hijacking by using charset definition:

Steps To Reproduce:

//include this code snippet in a controller method and register it in the web routes:
$res = \App\MyModel::all();
return response()->json(['data' => $res]); #

Source

rammarj

😕1

Most helpful comment

I am not sure if it is a good idea to disclose this in public (normal protocol for security bugs).

Dylan-DPC on 9 Jul 2017

👍3

All 7 comments

Sorry, I forgot the 'further reading', so here you can find more info about JSON hijacking in modern browsers: http://blog.portswigger.net/2016/11/json-hijacking-for-modern-web.html

rammarj on 9 Jul 2017

I am not sure if it is a good idea to disclose this in public (normal protocol for security bugs).

Dylan-DPC on 9 Jul 2017

👍3

@JoaquinRMtz what do you suggest here? have a fix?

themsaid on 10 Jul 2017

@themsaid: it looks like he suggests adding a charset definition in the content-type header.

Example without charset (vulnerable): header('Content-Type: application/json')
Example with charset (fixes vulnerabiity): header('Content-Type: application/json; charset=utf-8')