Skip to content
- Tutorials
- Python Tutorial
- Taking Input in Python
- Python Operators
- Python Data Types
- Python Loops and Control Flow
- Python Functions
- Python OOPS Concept
- Python Data Structures
- Python Exception Handling
- Python File Handling
- Python Exercises
- Java
- Java Programming Language
- Java Collections
- Java 8 Tutorial
- Java Programs
- Java Interview Questions
- Java Exercises
- Java Quiz
- Java Projects
- Advance Java
- Programming Languages
- System Design
- Interview Corner
- Computer Science Subjects
- DevOps
- Linux
- Software Testing
- Databases
- Android
- Excel
- Mathematics
- Python Tutorial
- DSA
- Data Structures
- Algorithms
- Analysis of Algorithms
- Searching Algorithms
- Sorting Algorithms
- Greedy Algorithms
- Dynamic Programming
- Graph Algorithms
- Pattern Searching
- Recursion
- Backtracking
- Divide and Conquer
- Mathematical Algorithms
- Geometric Algorithms
- Bitwise Algorithms
- Randomized Algorithms
- Branch and Bound
- Algorithms Tutorial
- DSA Tutorial
- Practice
- All DSA Problems
- Problem of the Day
- Company Wise Coding Practice
- GfG SDE Sheet
- Practice Problems Difficulty Wise
- Language Wise Coding Practice
- Curated DSA Lists
- Competitive Programming
- Company Wise SDE Sheets
- DSA Cheat Sheets
- Top Interview Questions
- Puzzles
- Data Science
- Web Tech
- Courses
-
Last Updated : 29 Sep, 2022
Summarize
Comments
Improve
JSON(JavaScript Object Notation) denotes standard text-based-data format . It is widely used to provide a support mechanism between the server and the web application for the transmission of data. JSON Hijacking is a kind of network security attack. In this attack, an attacker targets a system that has access to cross-domain-sensitive JSON data. This attack is similar to Cross-Site Request Forgery holding some differences. In Cross-Site Request Forgery, the attacker forces the user to execute unwanted actions whereas in JSON Hijacking the user is manipulated to access a crafted link that will read the user’s data and pass it to the attacker.
Note: Older Browsers were more vulnerable to JSON Hijacking. As of now, this vulnerability has been fixed in modern Browsers. The users using modern browsers are almost safe.
Detection Methods:
- The attacker gets an authenticated user to visit a malicious page to read their data.
- From where we have logged in, the malicious page will try to access the sensitive data by embedding a script tag in an HTML document. i.e.
<script src=”http://<jsonsite>/abc.php”></script>
This code will run by the browser requesting a GET Request to abc.php and the sensitive data will be sent along with the request.
- One should also be aware of whether the targeted application is compatible with older applications or not.
- This should be checked if Access-Control-Allow-Origin is set to the domain or not. If not, We should set the Access-Control-Allow-Origin to the specific domain, by this JSON Hijacking is not possible.
- Vulnerable JSON Responses should be avoided.
JSON Hijacking Prevention:
- By returning JSON with an object on the outside: We can prevent JSON Hijacking by having the outside primitive be an object for JSON strings. Some examples are-
Vulnerable :
[{ “object” : ” ” }] // Not inside an object, inside an array
Not Vulnerable :
See AlsoTroubleshooting Common JSON Import ErrorsWhat are the most important API security best practices for JSON web services?How do you secure and encrypt JSON and XML data in web communication?JSON Injection{ “object” : ” ” } // Inside an object
{ “object” : [{ “object”:” “}] //Inside an object
- By Adding Access-Control-Allow-Origin: To prevent JSON Hijacking, we can add Access-Control-Allow-Origin. With this addition, the attacker will lose control over our trusted domains.
- By Preventing Ourselves from Using Older Browsers: One of the methods for preventing JSON Hijacking is that we can prevent ourselves from using older browsers by creating a mechanism in the application. This will prevent us from using our application from an older browser.
Please Login to comment...
Similar Reads
What are Types of Session Hijacking ?
Session Hijacking is a Hacking Technique. In this, the hackers (the one who perform hacking) gain the access of a target's computer or online account and exploit the whole web session control mechanism. This is done by taking over an active TCP/IP communication session by performing illegal actions on a protected network. Normally, the web sessions
4 min read
Email Hijacking
E-mail security means a subset of data security that includes securing the privacy and accessibility of mail frameworks and the information they contain. It is practically equivalent to web security, which includes ensuring websites and the information they contain, but it centers on mail rather than websites. Like web security, e-mail security inc
2 min read
What is Cookie Hijacking?
Cookie Hijacking is a method by which webmasters break into other websites to steal cookies. This allows them to watch the victim's browsing activity, log their keystrokes, gain access to credit card information and passwords, and more. Cookie hijacking attacks mainly involve injecting JavaScript code into a website by embedding it in the HTML of a
4 min read
UDP Session Hijacking
UDS Packet is a low-level transport protocol used on LAN's and WAN's to send packets between two endpoints. UDP Session Hijacking is an attack where the attacker tricks the victim into using their computer as part of a botnet, typically by sending them unsolicited requests disguised as coming from legitimate sources. This illegitimate traffic can t
3 min read
TCP/IP Hijacking
TCP/IP stands for Transmission Control Protocol/Internet Protocol. It is a communication protocol by which network devices interconnect on the internet and communicate with each other. The TCP protocol is used with an IP protocol, so both of them together are referred to as a TCP/IP. TCP/IP lies between the Application and Network Layers, which are
3 min read
What is DLL Hijacking?
Cyber attacks are harmful attacks on the computer networking system which aim at exploiting user confidential information. Awareness and proper knowledge of cyber attacks can prevent cyber attackers from causing any harm to the computer networking systems. DLL Hijacking:DLL Injection attacks aim to target active applications for injecting dynamic m
3 min read
Application Level Hijacking Using Proxy Hacking
Application-level hijacking is one of the most popular ways hackers use to steal information. The attacker will modify the traffic and information being sent to a trusted application, then pretend the traffic came from a legitimate user. This type of attack is done on vulnerable web applications that do not use SSL to encrypt data. For this techniq
3 min read
Session Fixation Software Attack in Session Hijacking
Session fixation software attack is a type of session hijacking that involves a persistent entity on the computer using the software. Session fixation has been observed in real-world use by various entities, including nation-states. Session fixation is done by acquiring or modifying the TCP/IP stack to make it appear as if a user's connection was i
4 min read
Session Side Hijacking Vulnerability in Ethical Hacking
The rule interface known as session management facilitates user interaction with web applications. Websites and browsers communicate with one another and share data via the HTTP communication protocol. An ongoing HTTP request is known as a session. The creation of transactions with the same user is done. A stateless protocol is HTTP. Predictable Se
4 min read
Difference Between Spoofing and Hijacking
In spoofing hackers' main goal is to win the trust of the target (Victim) by convincing him that they are interacting with a trusted source. After winning trust, hackers can easily enter the target system, spread the malicious code of the malware, and steal useful information such as passwords, PINs, etc., that the target stores in the system. In s
3 min read
What is Browser Hijacking Software?
Browser hijacking software is a term used to describe a type of malicious software designed to take control of the user's browser, in order to alter their internet experience. The typical way this software works is by changing the search engine that is shown on a person's homepage and offering them more relevant advertisem*nts. Users who are infect
3 min read
Cyber Security Interview Questions
Cybersecurity is the act of protecting computer systems, networks, programs, and data from digital attacks, unauthorized access, damage, or theft. Cybersecurity is a critical aspect of modern technology, with its importance growing as digital systems become increasingly integrated into our daily lives. With threats ranging from data breaches to mal
15+ min read
Introduction to Dirb - Kali Linux
Dirb is an online directory scanner that searches web servers for hidden files, directories, and pages. It is a free and open-source utility included in the Kali Linux distribution, a popular operating system for penetration testing and ethical hacking. Dirb may be used to detect typical web server folders and files, such as admin pages, backup fil
7 min read
How to hack android phones with Phonesploit
Understanding how to hack android phones with Phonesploit has become a topic of interest and concern. Phonesploit is a powerful tool that allows users to remotely access and control Android devices, offering capabilities ranging from retrieving sensitive information to executing commands on the target device. This tool leverages vulnerabilities in
6 min read
Cyber Security Tutorial
Cyber security, also known as information technology security, refers to the practice of protecting systems, networks, and programs from digital attacks. These cyber-attacks are usually aimed at accessing, changing, or destroying sensitive information, extorting money from users, or interrupting normal business processes. This cybersecurity tutoria
6 min read
What is Google Dorking?
Google Dorking is a technique used by hackers and security researchers to find sensitive information on websites using Google's search engine. It is also known as Google hacking or Google Dorking. Search FiltersGoogle Dorking involves using advanced search operations in Google to search for specific keywords, file types, or website parameters. Thes
4 min read
Sniffing of Login Credential or Password Capturing in Wireshark
Wireshark is a free and open-source packet analysis tool that lets you capture and analyze network traffic in real-time. It is available for Windows, macOS, and Linux operating systems. Wireshark captures network packets and displays the captured data in a human-readable format for easy analysis and troubleshooting of network issues. It can scan a
3 min read
Ethical Hacking Tutorial
This Ethical Hacking tutorial covers both basic and advanced concepts of Ethical Hacking. Whether you are a beginner or an experienced cybersecurity professional, this tutorial is the perfect resource to learn how to tackle vulnerabilities and weaknesses in systems before malicious hackers can exploit them. From understanding the hacking basics to
11 min read
IP Filtering in Wireshark
Wireshark is a network packet analyzer or tracer. Network Packet Analyzer displays captured packet data in as much detail as possible. It is a popular open-source network protocol analyzer used by ethical hackers to analyze network traffic to identify vulnerabilities or potential security breaches. So, in this article, we will understand how we can
3 min read
How To Use Ophcrack for Windows Password Recovery?
Ophcrack is a free, open-source tool that can be used to recover lost Windows passwords. It works by using pre-computed tables to crack password hashes, allowing users to recover their forgotten passwords quickly and easily. In this article, we will take a look at how to use Ophcrack for Windows password recovery, with step-by-step instructions and
5 min read
What is Salami Attack?
A salami attack is a method of cybercrime that attackers or a hacker typically used to commit financial crimes. Cybercriminals steal money or resources from financial accounts on a system one at a time. This attack occurs when several minor attacks combine to create a sturdy attack. because of this sort of cybercrime, these attacks frequently go un
3 min read
Nmap Cheat Sheet
Nmap (Network Mapper) is a free and open-source network detection and security scanning utility. Many network and system administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring server or service availability. Nmap uses raw IP packets in a novel way to determine the hosts available o
4 min read
How To Extract rockyou.txt.gz File in Kali Linux?
The first thing that comes to mind when we think of brute-forcing a login with word lists is rockyou.txt. There is a lot of talk on the internet about rockyou.txt being the most popular file used by hackers and crackers to extract passwords. The interesting thing about this is that ethical hackers can use it to breach the security of any web applic
2 min read
DNS in Wireshark
DNS or Domain Name System abbreviated as DNS is a system used to resolve domain names, IP addresses, different servers for e.g., FTP servers, game servers, active directories, etc., and keep their records. Invented by Jon Postel and Paul Mockapetris in 1982, DNS has now become one of the most significant players in the modern-day web world. DNS act
4 min read
TCP Analysis using Wireshark
TCP or Transmission Control Protocol is one of the most important protocols or standards for enabling communication possible amongst devices present over a particular network. It has algorithms that solve complex errors arising in packet communications, i.e. corrupted packets, invalid packets, duplicates, etc. Since it is used with IP(Internet Prot
5 min read
Types of SQL Injection (SQLi)
SQL Injection is an attack that employs malicious SQL code to manipulate backend databases in order to obtain information that was not intended to be shown, The data may include sensitive corporate data, user lists, or confidential consumer details. This article contains types of SQL Injection with their examples. SQL Injections-LABS (a platform to
6 min read
Top 50 Penetration Testing Interview Questions and Answers
Penetration testing stands for a process where the security of a computer system is tested by trying to gain access to its internal systems. In order to carry out penetration testing, an attacker must first identify which ports are open on the target machine and then use those ports in order to exploit security vulnerabilities. Once these vulnerabi
15+ min read
How to Brute-Force SSH in Kali Linux?
The Secure Shell Protocol (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Its applications are remote login and command-line execution. SSH protocols are based on the client-server architecture, i.e the SSH client and the SSH server. This article explains the SSH Bruteforce attack. In thi
2 min read
What is Burp Suite?
Burp or Burp Suite is a set of tools used for penetration testing of web applications. It is developed by the company named Portswigger, which is also the alias of its founder Dafydd Stuttard. BurpSuite aims to be an all in one set of tools and its capabilities can be enhanced by installing add-ons that are called BApps. It is the most popular tool
5 min read
What is Cross Site Scripting (XSS) ?
Cross Site Scripting (XSS) is a vulnerability in a web application that allows a third party to execute a script in the user's browser on behalf of the web application. Cross-site Scripting is one of the most prevalent vulnerabilities present on the web today. The exploitation of XSS against a user can lead to various consequences such as account c
4 min read
Article Tags :
We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy
'); $('.spinner-loading-overlay').show(); jQuery.ajax({ url: writeApiUrl + 'create-improvement-post/?v=1', type: "POST", contentType: 'application/json; charset=utf-8', dataType: 'json', xhrFields: { withCredentials: true }, data: JSON.stringify({ gfg_id: post_id, check: true }), success:function(result) { jQuery.ajax({ url: writeApiUrl + 'suggestions/auth/' + `${post_id}/`, type: "GET", dataType: 'json', xhrFields: { withCredentials: true }, success: function (result) { $('.spinner-loading-overlay:eq(0)').remove(); var commentArray = result; if(commentArray === null || commentArray.length === 0) { // when no reason is availaible then user will redirected directly make the improvment. // call to api create-improvement-post $('body').append('
'); $('.spinner-loading-overlay').show(); jQuery.ajax({ url: writeApiUrl + 'create-improvement-post/?v=1', type: "POST", contentType: 'application/json; charset=utf-8', dataType: 'json', xhrFields: { withCredentials: true }, data: JSON.stringify({ gfg_id: post_id, }), success:function(result) { $('.spinner-loading-overlay:eq(0)').remove(); $('.improve-modal--overlay').hide(); $('.unlocked-status--improve-modal-content').css("display","none"); $('.create-improvement-redirection-to-write').attr('href',writeUrl + 'improve-post/' + `${result.id}` + '/', '_blank'); $('.create-improvement-redirection-to-write')[0].click(); }, error:function(e) { $('.spinner-loading-overlay:eq(0)').remove(); var result = e.responseJSON; if(result.detail.non_field_errors.length){ $('.improve-modal--improve-content .improve-modal--improve-content-modified').text(`${result.detail.non_field_errors}.`); jQuery('.improve-modal--overlay').show(); jQuery('.improve-modal--improvement').show(); $('.locked-status--impove-modal').css("display","block"); $('.unlocked-status--improve-modal-content').css("display","none"); $('.improve-modal--improvement').attr("status","locked"); $('.improvement-reason-modal').hide(); } }, }); return; } var improvement_reason_html = ""; for(var comment of commentArray) { // loop creating improvement reason list markup var comment_id = comment['id']; var comment_text = comment['suggestion']; improvement_reason_html += `
${comment_text}
`; } $('.improvement-reasons_wrapper').html(improvement_reason_html); $('.improvement-bottom-btn').html("Create Improvement"); $('.improve-modal--improvement').hide(); $('.improvement-reason-modal').show(); }, error: function(e){ $('.spinner-loading-overlay:eq(0)').remove(); // stop loader when ajax failed; }, }); }, error:function(e) { $('.spinner-loading-overlay:eq(0)').remove(); var result = e.responseJSON; if(result.detail.non_field_errors.length){ $('.improve-modal--improve-content .improve-modal--improve-content-modified').text(`${result.detail.non_field_errors}.`); jQuery('.improve-modal--overlay').show(); jQuery('.improve-modal--improvement').show(); $('.locked-status--impove-modal').css("display","block"); $('.unlocked-status--improve-modal-content').css("display","none"); $('.improve-modal--improvement').attr("status","locked"); $('.improvement-reason-modal').hide(); } }, }); } else { if(loginData && !loginData.isLoggedIn) { $('.improve-modal--overlay').hide(); if ($('.header-main__wrapper').find('.header-main__signup.login-modal-btn').length) { $('.header-main__wrapper').find('.header-main__signup.login-modal-btn').click(); } return; } } }); $('.left-arrow-icon_wrapper').on('click',function(){ if($('.improve-modal--suggestion').is(":visible")) $('.improve-modal--suggestion').hide(); else{ $('.improvement-reason-modal').hide(); } $('.improve-modal--improvement').show(); }); function loadScript(src, callback) { var script = document.createElement('script'); script.src = src; script.onload = callback; document.head.appendChild(script); } function suggestionCall() { var suggest_val = $.trim($("#suggestion-section-textarea").val()); var array_String= suggest_val.split(" ") var gCaptchaToken = $("#g-recaptcha-response-suggestion-form").val(); var error_msg = false; if(suggest_val != "" && array_String.length >=4){ if(suggest_val.length <= 2000){ var payload = { "gfg_post_id" : `${post_id}`, "suggestion" : `
${suggest_val}
`, } if(!loginData || !loginData.isLoggedIn) // User is not logged in payload["g-recaptcha-token"] = gCaptchaToken jQuery.ajax({ type:'post', url: "https://apiwrite.geeksforgeeks.org/suggestions/auth/create/", xhrFields: { withCredentials: true }, crossDomain: true, contentType:'application/json', data: JSON.stringify(payload), success:function(data) { jQuery('.spinner-loading-overlay:eq(0)').remove(); jQuery('#suggestion-section-textarea').val(""); jQuery('.suggest-bottom-btn').css("display","none"); // Update the modal content const modalSection = document.querySelector('.suggestion-modal-section'); modalSection.innerHTML = `
Thank You!
Your suggestions are valuable to us.
You can now also contribute to the GeeksforGeeks community by creating improvement and help your fellow geeks.
`; }, error:function(data) { jQuery('.spinner-loading-overlay:eq(0)').remove(); jQuery('#suggestion-modal-alert').html("Something went wrong."); jQuery('#suggestion-modal-alert').show(); error_msg = true; } }); } else{ jQuery('.spinner-loading-overlay:eq(0)').remove(); jQuery('#suggestion-modal-alert').html("Minimum 5 Words and Maximum Character limit is 2000."); jQuery('#suggestion-modal-alert').show(); jQuery('#suggestion-section-textarea').focus(); error_msg = true; } } else{ jQuery('.spinner-loading-overlay:eq(0)').remove(); jQuery('#suggestion-modal-alert').html("Enter atleast four words !"); jQuery('#suggestion-modal-alert').show(); jQuery('#suggestion-section-textarea').focus(); error_msg = true; } if(error_msg){ setTimeout(() => { jQuery('#suggestion-section-textarea').focus(); jQuery('#suggestion-modal-alert').hide(); }, 3000); } } document.querySelector('.suggest-bottom-btn').addEventListener('click', function(){ jQuery('body').append('
'); jQuery('.spinner-loading-overlay').show(); if(loginData && loginData.isLoggedIn) { suggestionCall(); return; } // load the captcha script and set the token loadScript('https://www.google.com/recaptcha/api.js?render=6LdMFNUZAAAAAIuRtzg0piOT-qXCbDF-iQiUi9KY',[], function() { setGoogleRecaptcha(); }); }); $('.improvement-bottom-btn.create-improvement-btn').click(function() { //create improvement button is clicked $('body').append('
'); $('.spinner-loading-overlay').show(); // send this option via create-improvement-post api jQuery.ajax({ url: writeApiUrl + 'create-improvement-post/?v=1', type: "POST", contentType: 'application/json; charset=utf-8', dataType: 'json', xhrFields: { withCredentials: true }, data: JSON.stringify({ gfg_id: post_id }), success:function(result) { $('.spinner-loading-overlay:eq(0)').remove(); $('.improve-modal--overlay').hide(); $('.improvement-reason-modal').hide(); $('.create-improvement-redirection-to-write').attr('href',writeUrl + 'improve-post/' + `${result.id}` + '/', '_blank'); $('.create-improvement-redirection-to-write')[0].click(); }, error:function(e) { $('.spinner-loading-overlay:eq(0)').remove(); var result = e.responseJSON; if(result.detail.non_field_errors.length){ $('.improve-modal--improve-content .improve-modal--improve-content-modified').text(`${result.detail.non_field_errors}.`); jQuery('.improve-modal--overlay').show(); jQuery('.improve-modal--improvement').show(); $('.locked-status--impove-modal').css("display","block"); $('.unlocked-status--improve-modal-content').css("display","none"); $('.improve-modal--improvement').attr("status","locked"); $('.improvement-reason-modal').hide(); } }, }); });