XSS via JSONP

JSONP (JSON with Padding)

A technique to load cross-origin data before CORS existed.

Works by creating a <script> tag that points to a URL in a web application, e.g.:

<script src="https://example.com/api?callback=myFunction"></script>

The server responds with:

myFunction({ "name": "Alice" });

The web page executes it as JS directly on your page, calling myFunction callback.

CSP misconfiguration

• https://apis.trusted.com JSONP endpoint is trusted by CSP

  Content-Security-Policy: default-src 'self'; script-src 'self' https://apis.trusted.com;

• A trusted external script is the following one

  <script src="https://apis.trusted.com/getUser?callback=cb"></script>

• The server responds with:

  cb({ "name": "evil" });

XSS

• The attacker injects the following HTML code:

  <script src="https://apis.trusted.com/getUser?callback=cb"></script>

• The server responds with:

  alert({ "name": "evil" });