Open in app

Sign in

Write

Sign in

Every Bug Bounty hunter should know the evil smile of the JSONP over the browser’s Same Origin Policy.

secureITmania
entersoftsecurity
Published in
4 min readApr 6, 2020

--

In my previous write-up, I explain the JSON CSRF vulnerability and Now I came up with a technique to abuse the browser Same Origin Policy (SOP).

Introduction — JSONP & SOP:

JSONP stands for JSON with Padding. It is a JavaScript technique to request the data from the server and can access without worrying about cross-domain issues. Below are the features of the JSONP.

  • JSONP does not use the XMLHttpRequest object.
  • JSONP uses the <script> tag instead.
  • JSONP doesn’t care about the browser SOP.

Don’t be confused, I will explain with a practical scenario to understand the above.

Same Origin Policy (SOP):

SOP is a default basic and critical web security feature, without this, the data you are sending over the internet is not safe.

Actually, the same origin policy is a little bit more complex and there are lot of different cases you have to consider.

A simple example to understand SOP

Basically, SOP prevents scripts from one origin to access private data on another origin.

--

--

secureITmania
entersoftsecurity

Written by secureITmania

786 Followers
Editor for

https://www.youtube.com/@secureitmania/videos | https://www.buymeacoffee.com/secureitmania |blog.secureitmania.com| https://t.me/secureitmania_world

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams