Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

JSON Hijacking

From: Ricardo Iramar dos Santos <riramar () gmail com>
Date: Wed, 24 Feb 2016 18:22:16 -0300
Hi All,

Do you guys know if JSON Hijacking is still possible?
It seems the method __defineSetter__ has been deprecated but I've
seeing some post that it's still possible to override the constructor.
I tried using the javascript below but no error on console either a alert popup.

<script>
Object.defineProperty(Object.prototype, 'id', {
set:function(obj) {
for(var i in obj) {
alert(i + '=' + obj[i]);
}
}
});
</script>
<script src="https://blah.returning.json";></script>

Thanks!
Ricardo Iramar

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: