Every Bug Bounty hunter should know the evil smile of the JSONP over the browser’s Same Origin Policy. Simgamsetti Manikanta Follow Apr 6 · 4 min read

In my previous write-up, I explain the JSON CSRF vulnerability and Now I came up with a technique to abuse the browser Same Origin Policy (SOP).

Introduction — JSONP & SOP:

JSONP stands for JSON with Padding. It is a JavaScript technique to request the data from the server and can access without worrying about cross-domain issues. Below are the features of the JSONP.

JSONP does not use the XMLHttpRequest object.

object. JSONP uses the <script> tag instead.

tag instead. JSONP doesn’t care about the browser SOP.

D on’t be confused, I will explain with a practical scenario to understand the above.

Same Origin Policy (SOP):

SOP is a default basic and critical web security feature, without this, the data you are sending over the internet is not safe.

Actually, the same origin policy is a little bit more complex and there are lot of different cases you have to consider.

A simple example to understand SOP

Basically, SOP prevents scripts from one origin to access private data on another origin.

In this below example, we can not access the “mail.google.com” domain data from another origin (example.com) using the Ajax request due to the browser Same Origin Policy.

Actually, there are some technical possibilities to bypass this policy, one of those techniques is JSONP.

Let’s discuss how I abuse the SOP security using the JSONP in one of the bug bounty program.

Observation:

Whenever I test the web application, I carefully observe the authentication mechanism of the application. If that is cookie-based authentication then I directly look for the CSRF and CORS mis-configurations.

Finally, I found a sensitive GET endpoint that reveals the account details in the response in the JSON format.