What is the JSON method

JSONP: Scripts for cross-domain data queries

JSONP is quite controversial in specialist circles as a solution for circumventing the SOP, which is mainly due to the increased security risk associated with the script queries. This is ensured by the fact that an additional component is integrated into the processes of the original website, the security system of which cannot be influenced. If the contacted server has vulnerabilities that unwanted JavaScript injections (Integration of JavaScript code) by attackers, the origin server is automatically exposed to an immediate danger - especially since not only JSON documents (as in the example) but any kind of data can be retrieved.

Other well-known attack patterns that make use of the JSONP method are as follows:

  • RFD (Reflected File Download): JSONP is susceptible to so-called RFD attacks, in which client users only appear to download data from the desired target domain. In fact, however, malicious files or URLs are loaded, which in most cases can be traced back to a manipulation of callback functions.
  • CSRF / XSRF (Cross-Site-Request-Forgery): Since the script element ignores the same-origin policy, a malicious website can request, receive and evaluate data from other web applications. If the user is logged on to the attacked site, attackers could obtain sensitive data such as login information with such “fake” cross-domain requests.

If you want to use JSONP scripts in your own web project, you should be absolutely sure that not only your own, but also the web server of the web application you are contacting is protected against such attacks and any kind of malware protected is. JSONP code, the Data from unsafe sources calls, you should therefore not include or not allow.