JSON hijacking is a security weakness in which a website exposes sensitive JSON data without protection. The attacker can then exploit and intercept the data using harmful JavaScript code.
In a JSON hijack, the hacker creates a fraudulent and harmful website to deceive the target’s browser into requesting the intended website. The hacker then feeds JavaScript code into the victim’s platform, and the target page’s JSON response is executed as a JavaScript file.
All of these results in the attacker extracting sensitive data using their code to access the JSON data.
Examples of JSON hijacking
A famous JSON hijack involved a handful of online social platforms that leaked user profile data via JSONP endpoints absent adequate security measures. The hackers exploited this weakness to extract users’ private data and execute selected phishing attacks.
Preventing JSON hijacking
- Limit the amount of private information you disclose in JSON replies. Employ additional encryption and authentication measures to keep the data safe.
- Enable adequate output encoding and input validation to block injection attacks.
- Implement tight security policies on all content that blocks systems from running external scripts.
- Set up formidable session management and employ anti-CSRF measures to block unauthorized requests.
- Update all libraries and frameworks of your web application to gain the newest security protocols, and educate yourself on best practices.