JSON hijacking is an attack technique where an adversary steals sensitive JSON data from a web application by exploiting the way browsers execute scripts loaded from external origins. It targets endpoints that return JSON arrays or objects without adequate protection against cross-origin reads.
How It Works
In a classic JSON hijacking scenario, a vulnerable application serves an authenticated JSON endpoint that returns sensitive data, such as user account details or private messages. The attacker hosts a malicious page that includes a <script> tag pointing to that endpoint. When an authenticated user visits the attacker's page, their browser sends the request with cookies attached, and the JSON response is loaded as a script.
Older attack variants relied on overriding JavaScript constructors or array prototype methods to intercept the parsed data. When the browser evaluated a JSON array as a script, the overridden constructor captured each element. More modern variations target JSONP endpoints, callback parameters, or specific browser quirks that allow reading the response body across origins.
Modern browsers have largely mitigated the original vector by preventing script evaluation of pure JSON responses. However, applications that return JSON with executable JavaScript constructs, support JSONP callbacks, or lack proper Content-Type headers can still be vulnerable. Misconfigured CORS policies that allow arbitrary origins to read responses create similar exposure.
Prevention
Effective defenses include setting the Content-Type header to application/json, prepending response bodies with unparseable prefixes (such as )]}'), using anti-CSRF tokens on sensitive endpoints, and ensuring CORS policies restrict allowed origins. Removing support for JSONP on endpoints that return sensitive data eliminates another common attack path.
Why It Matters
JSON hijacking demonstrates how cross-origin browser behavior can be weaponized to exfiltrate data. Even as browsers improve their defenses, server-side misconfigurations and legacy endpoint designs continue to create opportunities for data theft. Understanding this attack is critical for anyone responsible for securing APIs that serve authenticated data.
Need your application tested? Get in touch.