Hi Folks, hope you are all fine, so this writeup is about exploiting JSONP to extract private data from API endpoints and bypassing the security check by the server.

JSONP is (JSON With Padding), JSONP was created to grant cross-origin read access to JavaScript, it acts as an exception to SOP (Same Origin Policy) and allow cross-origin data access. It can be used to bypass SOP to access cross-origin data.

Let’s have look how it works.

The API endpoint which returns data is used in a script tag with a callback function like this.

<script src=”https://redact.com/api/user/profile?callback=call_me”></script>

Now we need to create a callback function which we have passed in the script tag src (https://redact.com/api/user/profile?callback=call_me), you can name it anything I have named it call_me.

<script>function call_me(data) {console.log(data)}

Finally, the code will look like this. First, we will create the callback function and then we will create the script tag.

<script>function call_me(data) {console.log(data)}</script> <script src=”https://redact.com/api/user/profile?callback=call_me”></script>

This code will log the data in the Browser Console.

Now how we can verify that the API is vulnerable to this JSONP vulnerability.

For instance, we have an endpoint, which displays user wallet data https://user.redact.com/payment/wallet/balance

Now add a query parameter of callback like this, https://user.redact.com/payment/wallet/balance?callback=call_me

If the endpoint has JSONP enabled it will create an object with the name of call_me and all the data will be inside that object like this.