{"id":477747,"date":"2023-08-09T09:19:35","date_gmt":"2023-08-09T09:19:35","guid":{"rendered":""},"modified":"2023-09-05T11:15:18","modified_gmt":"2023-09-05T11:15:18","slug":"json-hijacking","status":"publish","type":"wiki","link":"https:\/\/oneproxy.pro\/vn\/wiki\/json-hijacking\/","title":{"rendered":"Chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n JSON"},"content":{"rendered":"<p>\u0110\u00e1nh c\u1eafp JSON, c\u00f2n \u0111\u01b0\u1ee3c g\u1ecdi l\u00e0 &quot;Chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n k\u00fd hi\u1ec7u \u0111\u1ed1i t\u01b0\u1ee3ng JavaScript&quot;, l\u00e0 m\u1ed9t l\u1ed7 h\u1ed5ng b\u1ea3o m\u1eadt \u1ea3nh h\u01b0\u1edfng \u0111\u1ebfn c\u00e1c \u1ee9ng d\u1ee5ng web s\u1eed d\u1ee5ng JSON (K\u00fd hi\u1ec7u \u0111\u1ed1i t\u01b0\u1ee3ng JavaScript) l\u00e0m \u0111\u1ecbnh d\u1ea1ng trao \u0111\u1ed5i d\u1eef li\u1ec7u. L\u1ed7 h\u1ed5ng n\u00e0y cho ph\u00e9p k\u1ebb t\u1ea5n c\u00f4ng \u0111\u00e1nh c\u1eafp d\u1eef li\u1ec7u nh\u1ea1y c\u1ea3m t\u1eeb tr\u00ecnh duy\u1ec7t c\u1ee7a n\u1ea1n nh\u00e2n khi \u1ee9ng d\u1ee5ng kh\u00f4ng \u0111\u01b0\u1ee3c b\u1ea3o m\u1eadt \u0111\u00fang c\u00e1ch tr\u01b0\u1edbc c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng nh\u01b0 v\u1eady. Vi\u1ec7c chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n JSON khai th\u00e1c ch\u00ednh s\u00e1ch c\u00f9ng ngu\u1ed3n g\u1ed1c, m\u1ed9t bi\u1ec7n ph\u00e1p b\u1ea3o m\u1eadt ng\u0103n c\u00e1c trang web g\u1eedi y\u00eau c\u1ea7u \u0111\u1ebfn m\u1ed9t mi\u1ec1n kh\u00e1c v\u1edbi mi\u1ec1n ph\u1ee5c v\u1ee5 trang web \u0111\u00f3.<\/p>\n<h2>L\u1ecbch s\u1eed v\u1ec1 ngu\u1ed3n g\u1ed1c c\u1ee7a vi\u1ec7c chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n JSON v\u00e0 l\u1ea7n \u0111\u1ea7u ti\u00ean \u0111\u1ec1 c\u1eadp \u0111\u1ebfn n\u00f3.<\/h2>\n<p>Vi\u1ec7c chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n JSON l\u1ea7n \u0111\u1ea7u ti\u00ean \u0111\u01b0\u1ee3c ph\u00e1t hi\u1ec7n v\u00e0 ghi l\u1ea1i b\u1edfi Jeremiah Grossman v\u00e0o n\u0103m 2006. Trong nghi\u00ean c\u1ee9u c\u1ee7a m\u00ecnh, \u00f4ng ph\u00e1t hi\u1ec7n ra r\u1eb1ng c\u00e1c \u1ee9ng d\u1ee5ng web s\u1eed d\u1ee5ng ph\u1ea3n h\u1ed3i JSON r\u1ea5t d\u1ec5 m\u1eafc ph\u1ea3i l\u1ed7 h\u1ed5ng n\u00e0y do thi\u1ebfu ph\u01b0\u01a1ng ph\u00e1p ti\u00eau chu\u1ea9n \u0111\u1ec3 b\u1ea3o v\u1ec7 ch\u1ed1ng l\u1ea1i n\u00f3. L\u1ea7n \u0111\u1ea7u ti\u00ean \u0111\u1ec1 c\u1eadp \u0111\u1ebfn vi\u1ec7c chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n JSON \u0111\u00e3 thu h\u00fat s\u1ef1 ch\u00fa \u00fd \u0111\u1ebfn nh\u1eefng r\u1ee7i ro ti\u1ec1m \u1ea9n li\u00ean quan \u0111\u1ebfn vi\u1ec7c s\u1eed d\u1ee5ng JSON l\u00e0m \u0111\u1ecbnh d\u1ea1ng trao \u0111\u1ed5i d\u1eef li\u1ec7u m\u00e0 kh\u00f4ng \u00e1p d\u1ee5ng c\u00e1c bi\u1ec7n ph\u00e1p b\u1ea3o m\u1eadt th\u00edch h\u1ee3p.<\/p>\n<h2>Th\u00f4ng tin chi ti\u1ebft v\u1ec1 vi\u1ec7c chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n JSON. M\u1edf r\u1ed9ng ch\u1ee7 \u0111\u1ec1 \u0110\u00e1nh c\u1eafp JSON.<\/h2>\n<p>Vi\u1ec7c chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n JSON x\u1ea3y ra khi m\u1ed9t \u1ee9ng d\u1ee5ng web ph\u00e2n ph\u00e1t d\u1eef li\u1ec7u JSON m\u00e0 kh\u00f4ng tri\u1ec3n khai c\u00e1c c\u01a1 ch\u1ebf b\u1ea3o m\u1eadt th\u00edch h\u1ee3p, ch\u1eb3ng h\u1ea1n nh\u01b0 tr\u00ecnh bao b\u1ecdc ph\u1ea3n h\u1ed3i JSON an to\u00e0n. Th\u00f4ng th\u01b0\u1eddng, khi m\u1ed9t trang web y\u00eau c\u1ea7u d\u1eef li\u1ec7u JSON t\u1eeb m\u00e1y ch\u1ee7, n\u00f3 s\u1ebd nh\u1eadn \u0111\u01b0\u1ee3c m\u1ed9t \u0111\u1ed1i t\u01b0\u1ee3ng JSON h\u1ee3p ph\u00e1p c\u00f3 th\u1ec3 d\u1ec5 d\u00e0ng ph\u00e2n t\u00edch v\u00e0 s\u1eed d\u1ee5ng b\u1eb1ng m\u00e3 JavaScript tr\u00ean trang.<\/p>\n<p>Tuy nhi\u00ean, trong tr\u01b0\u1eddng h\u1ee3p chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n JSON, k\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 khai th\u00e1c ch\u00ednh s\u00e1ch c\u00f9ng ngu\u1ed3n g\u1ed1c \u0111\u1ec3 \u0111\u00e1nh c\u1eafp d\u1eef li\u1ec7u JSON. K\u1ebb t\u1ea5n c\u00f4ng l\u1eeba tr\u00ecnh duy\u1ec7t c\u1ee7a n\u1ea1n nh\u00e2n th\u1ef1c hi\u1ec7n y\u00eau c\u1ea7u c\u00f3 ngu\u1ed3n g\u1ed1c ch\u00e9o t\u1edbi m\u00e1y ch\u1ee7 \u0111\u1ed9c h\u1ea1i do k\u1ebb t\u1ea5n c\u00f4ng ki\u1ec3m so\u00e1t. V\u00ec ch\u00ednh s\u00e1ch c\u00f9ng ngu\u1ed3n g\u1ed1c kh\u00f4ng \u00e1p d\u1ee5ng cho c\u00e1c y\u00eau c\u1ea7u JSON (kh\u00f4ng gi\u1ed1ng nh\u01b0 c\u00e1c y\u00eau c\u1ea7u Ajax truy\u1ec1n th\u1ed1ng), n\u00ean m\u00e1y ch\u1ee7 \u0111\u1ed9c h\u1ea1i c\u00f3 th\u1ec3 nh\u1eadn d\u1eef li\u1ec7u JSON tr\u1ef1c ti\u1ebfp.<\/p>\n<p>Vi\u1ec7c kh\u00f4ng c\u00f3 c\u00e1c ti\u00eau \u0111\u1ec1 b\u1ea3o m\u1eadt ho\u1eb7c tr\u00ecnh bao b\u1ecdc ph\u1ea3n h\u1ed3i th\u00edch h\u1ee3p, ch\u1eb3ng h\u1ea1n nh\u01b0 \u201cX-Content-Type-Options: nosniff\u201d ho\u1eb7c \u201cwhile(1);\u201d, cho ph\u00e9p k\u1ebb t\u1ea5n c\u00f4ng th\u1ef1c hi\u1ec7n m\u1ed9t cu\u1ed9c t\u1ea5n c\u00f4ng chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n JSON th\u00e0nh c\u00f4ng. B\u1eb1ng c\u00e1ch \u0111\u00e1nh c\u1eafp d\u1eef li\u1ec7u nh\u1ea1y c\u1ea3m, k\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 x\u00e2m ph\u1ea1m quy\u1ec1n ri\u00eang t\u01b0 v\u00e0 b\u1ea3o m\u1eadt c\u1ee7a ng\u01b0\u1eddi d\u00f9ng.<\/p>\n<h2>C\u1ea5u tr\u00fac b\u00ean trong c\u1ee7a vi\u1ec7c chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n JSON. C\u00e1ch ho\u1ea1t \u0111\u1ed9ng c\u1ee7a vi\u1ec7c chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n JSON.<\/h2>\n<p>Vi\u1ec7c chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n JSON ch\u1ee7 y\u1ebfu nh\u1eafm v\u00e0o c\u00e1c \u1ee9ng d\u1ee5ng web s\u1eed d\u1ee5ng ph\u1ea3n h\u1ed3i JSON m\u00e0 kh\u00f4ng s\u1eed d\u1ee5ng c\u00e1c k\u1ef9 thu\u1eadt b\u1ea3o m\u1eadt c\u1ee5 th\u1ec3. C\u1ea5u tr\u00fac b\u00ean trong c\u1ee7a cu\u1ed9c t\u1ea5n c\u00f4ng bao g\u1ed3m c\u00e1c b\u01b0\u1edbc sau:<\/p>\n<ol>\n<li>Tr\u00ecnh duy\u1ec7t c\u1ee7a n\u1ea1n nh\u00e2n g\u1eedi y\u00eau c\u1ea7u d\u1eef li\u1ec7u JSON \u0111\u1ebfn m\u00e1y ch\u1ee7 web.<\/li>\n<li>M\u00e1y ch\u1ee7 web x\u1eed l\u00fd y\u00eau c\u1ea7u v\u00e0 g\u1eedi l\u1ea1i d\u1eef li\u1ec7u JSON trong ph\u1ea3n h\u1ed3i.<\/li>\n<li>K\u1ebb t\u1ea5n c\u00f4ng \u0111\u00e1nh l\u1eeba tr\u00ecnh duy\u1ec7t c\u1ee7a n\u1ea1n nh\u00e2n th\u1ef1c hi\u1ec7n m\u1ed9t y\u00eau c\u1ea7u c\u00f3 ngu\u1ed3n g\u1ed1c ch\u00e9o b\u1ed5 sung, h\u01b0\u1edbng \u0111\u1ebfn m\u00e1y ch\u1ee7 c\u1ee7a k\u1ebb t\u1ea5n c\u00f4ng.<\/li>\n<li>M\u00e1y ch\u1ee7 c\u1ee7a k\u1ebb t\u1ea5n c\u00f4ng ch\u1eb7n ph\u1ea3n h\u1ed3i JSON tr\u1ef1c ti\u1ebfp t\u1eeb tr\u00ecnh duy\u1ec7t c\u1ee7a n\u1ea1n nh\u00e2n v\u00ec ch\u00ednh s\u00e1ch c\u00f9ng ngu\u1ed3n g\u1ed1c kh\u00f4ng \u00e1p d\u1ee5ng cho c\u00e1c y\u00eau c\u1ea7u JSON.<\/li>\n<li>K\u1ebb t\u1ea5n c\u00f4ng hi\u1ec7n c\u00f3 quy\u1ec1n truy c\u1eadp v\u00e0o d\u1eef li\u1ec7u JSON nh\u1ea1y c\u1ea3m m\u00e0 l\u1ebd ra ch\u1ec9 c\u00f3 th\u1ec3 truy c\u1eadp \u0111\u01b0\u1ee3c trong mi\u1ec1n c\u1ee7a \u1ee9ng d\u1ee5ng web.<\/li>\n<\/ol>\n<h2>Ph\u00e2n t\u00edch c\u00e1c t\u00ednh n\u0103ng ch\u00ednh c\u1ee7a vi\u1ec7c chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n JSON.<\/h2>\n<p>C\u00e1c t\u00ednh n\u0103ng ch\u00ednh c\u1ee7a vi\u1ec7c chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n JSON bao g\u1ed3m:<\/p>\n<ul>\n<li>Khai th\u00e1c ch\u00ednh s\u00e1ch c\u00f9ng ngu\u1ed3n g\u1ed1c: Vi\u1ec7c chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n JSON l\u1ee3i d\u1ee5ng s\u1ef1 mi\u1ec5n tr\u1eeb c\u1ee7a ch\u00ednh s\u00e1ch c\u00f9ng ngu\u1ed3n g\u1ed1c \u0111\u1ed1i v\u1edbi c\u00e1c y\u00eau c\u1ea7u JSON, khi\u1ebfn k\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 ch\u1eb7n c\u00e1c ph\u1ea3n h\u1ed3i JSON.<\/li>\n<li>Thi\u1ebfu tr\u00ecnh bao b\u1ecdc ph\u1ea3n h\u1ed3i th\u00edch h\u1ee3p: Thi\u1ebfu tr\u00ecnh bao b\u1ecdc ph\u1ea3n h\u1ed3i JSON an to\u00e0n, nh\u01b0 \u201cwhile(1);\u201d ho\u1eb7c \u201cX-Content-Type-Options: nosniff,\u201d c\u00f3 th\u1ec3 khi\u1ebfn c\u00e1c \u1ee9ng d\u1ee5ng web d\u1ec5 b\u1ecb t\u1ea5n c\u00f4ng JSON.<\/li>\n<li>T\u1eadp trung v\u00e0o c\u00e1c \u0111i\u1ec3m cu\u1ed1i JSON: Cu\u1ed9c t\u1ea5n c\u00f4ng t\u1eadp trung v\u00e0o c\u00e1c \u1ee9ng d\u1ee5ng web s\u1eed d\u1ee5ng c\u00e1c \u0111i\u1ec3m cu\u1ed1i JSON \u0111\u1ec3 trao \u0111\u1ed5i d\u1eef li\u1ec7u.<\/li>\n<\/ul>\n<h2>C\u00e1c ki\u1ec3u chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n JSON<\/h2>\n<p>Vi\u1ec7c chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n JSON c\u00f3 th\u1ec3 \u0111\u01b0\u1ee3c ph\u00e2n th\u00e0nh hai lo\u1ea1i ch\u00ednh d\u1ef1a tr\u00ean c\u00e1c ph\u01b0\u01a1ng th\u1ee9c \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng \u0111\u1ec3 th\u1ef1c hi\u1ec7n cu\u1ed9c t\u1ea5n c\u00f4ng:<\/p>\n<ol>\n<li>\n<p><strong>C\u01b0\u1edbp JSON tr\u1ef1c ti\u1ebfp:<\/strong> Trong ki\u1ec3u t\u1ea5n c\u00f4ng n\u00e0y, k\u1ebb t\u1ea5n c\u00f4ng \u0111\u00e1nh l\u1eeba tr\u00ecnh duy\u1ec7t c\u1ee7a n\u1ea1n nh\u00e2n g\u1eedi y\u00eau c\u1ea7u JSON tr\u1ef1c ti\u1ebfp \u0111\u1ebfn m\u00e1y ch\u1ee7 c\u1ee7a k\u1ebb t\u1ea5n c\u00f4ng. Sau \u0111\u00f3, m\u00e1y ch\u1ee7 c\u1ee7a k\u1ebb t\u1ea5n c\u00f4ng s\u1ebd nh\u1eadn \u0111\u01b0\u1ee3c d\u1eef li\u1ec7u JSON tr\u1ef1c ti\u1ebfp m\u00e0 kh\u00f4ng c\u1ea7n th\u1ef1c hi\u1ec7n th\u00eam b\u1ea5t k\u1ef3 b\u01b0\u1edbc n\u00e0o.<\/p>\n<\/li>\n<li>\n<p><strong>T\u1ea5n c\u00f4ng JSONP (JSON with Padding):<\/strong> JSONP l\u00e0 m\u1ed9t k\u1ef9 thu\u1eadt \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng \u0111\u1ec3 kh\u1eafc ph\u1ee5c c\u00e1c h\u1ea1n ch\u1ebf c\u1ee7a ch\u00ednh s\u00e1ch c\u00f9ng ngu\u1ed3n g\u1ed1c khi th\u1ef1c hi\u1ec7n c\u00e1c y\u00eau c\u1ea7u c\u00f3 ngu\u1ed3n g\u1ed1c ch\u00e9o. Khi chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n JSONP, k\u1ebb t\u1ea5n c\u00f4ng thao t\u00fang ch\u1ee9c n\u0103ng g\u1ecdi l\u1ea1i JSONP \u0111\u1ec3 nh\u1eadn d\u1eef li\u1ec7u JSON v\u00e0 c\u00f3 kh\u1ea3 n\u0103ng tr\u00edch xu\u1ea5t th\u00f4ng tin nh\u1ea1y c\u1ea3m.<\/p>\n<\/li>\n<\/ol>\n<p>D\u01b0\u1edbi \u0111\u00e2y l\u00e0 b\u1ea3ng so s\u00e1nh n\u00eau b\u1eadt s\u1ef1 kh\u00e1c bi\u1ec7t gi\u1eefa hai lo\u1ea1i chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n JSON:<\/p>\n<table>\n<thead>\n<tr>\n<th>Ki\u1ec3u<\/th>\n<th>Ph\u01b0\u01a1ng ph\u00e1p<\/th>\n<th>Thu\u1eadn l\u1ee3i<\/th>\n<th>Nh\u01b0\u1ee3c \u0111i\u1ec3m<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n JSON tr\u1ef1c ti\u1ebfp<\/td>\n<td>Khai th\u00e1c ch\u00ednh s\u00e1ch c\u00f9ng ngu\u1ed3n g\u1ed1c cho c\u00e1c y\u00eau c\u1ea7u JSON<\/td>\n<td>\u0110\u01a1n gi\u1ea3n trong th\u1ef1c thi, truy c\u1eadp tr\u1ef1c ti\u1ebfp v\u00e0o d\u1eef li\u1ec7u JSON<\/td>\n<td>Hi\u1ec3n th\u1ecb r\u00f5 h\u01a1n trong nh\u1eadt k\u00fd, d\u1ec5 ph\u00e1t hi\u1ec7n h\u01a1n<\/td>\n<\/tr>\n<tr>\n<td>chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n JSONP<\/td>\n<td>Thao t\u00e1c v\u1edbi h\u00e0m g\u1ecdi l\u1ea1i JSONP<\/td>\n<td>C\u00f3 kh\u1ea3 n\u0103ng b\u1ecf qua ch\u00ednh s\u00e1ch c\u00f9ng ngu\u1ed3n g\u1ed1c<\/td>\n<td>Y\u00eau c\u1ea7u tri\u1ec3n khai JSONP d\u1ec5 b\u1ecb t\u1ea5n c\u00f4ng<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>C\u00e1c c\u00e1ch s\u1eed d\u1ee5ng t\u00ednh n\u0103ng chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n JSON, c\u00e1c v\u1ea5n \u0111\u1ec1 v\u00e0 gi\u1ea3i ph\u00e1p li\u00ean quan \u0111\u1ebfn vi\u1ec7c s\u1eed d\u1ee5ng.<\/h2>\n<h3>Ph\u01b0\u01a1ng ph\u00e1p khai th\u00e1c<\/h3>\n<p>Vi\u1ec7c chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n JSON c\u00f3 th\u1ec3 \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng \u0111\u1ec3 l\u1ea5y th\u00f4ng tin nh\u1ea1y c\u1ea3m, ch\u1eb3ng h\u1ea1n nh\u01b0 th\u00f4ng tin x\u00e1c th\u1ef1c c\u1ee7a ng\u01b0\u1eddi d\u00f9ng, m\u00e3 th\u00f4ng b\u00e1o x\u00e1c th\u1ef1c ho\u1eb7c d\u1eef li\u1ec7u nh\u1ea1y c\u1ea3m kh\u00e1c \u0111\u01b0\u1ee3c l\u01b0u tr\u1eef trong ph\u1ea3n h\u1ed3i JSON. D\u1eef li\u1ec7u b\u1ecb \u0111\u00e1nh c\u1eafp sau \u0111\u00f3 c\u00f3 th\u1ec3 b\u1ecb k\u1ebb t\u1ea5n c\u00f4ng l\u1ea1m d\u1ee5ng cho nhi\u1ec1u m\u1ee5c \u0111\u00edch x\u1ea5u kh\u00e1c nhau.<\/p>\n<h3>V\u1ea5n \u0111\u1ec1 v\u00e0 gi\u1ea3i ph\u00e1p<\/h3>\n<p>V\u1ea5n \u0111\u1ec1 ch\u00ednh c\u1ee7a vi\u1ec7c chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n JSON l\u00e0 thi\u1ebfu c\u00e1c bi\u1ec7n ph\u00e1p b\u1ea3o m\u1eadt ti\u00eau chu\u1ea9n trong nhi\u1ec1u \u1ee9ng d\u1ee5ng web s\u1eed d\u1ee5ng JSON l\u00e0m \u0111\u1ecbnh d\u1ea1ng trao \u0111\u1ed5i d\u1eef li\u1ec7u. \u0110\u1ec3 gi\u1ea3m thi\u1ec3u r\u1ee7i ro li\u00ean quan \u0111\u1ebfn vi\u1ec7c chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n JSON, nh\u00e0 ph\u00e1t tri\u1ec3n v\u00e0 qu\u1ea3n tr\u1ecb vi\u00ean trang web c\u00f3 th\u1ec3 tri\u1ec3n khai c\u00e1c gi\u1ea3i ph\u00e1p sau:<\/p>\n<ol>\n<li>\n<p><strong>Tr\u00ecnh bao b\u1ecdc ph\u1ea3n h\u1ed3i JSON an to\u00e0n:<\/strong> \u0110\u00ednh k\u00e8m c\u00e1c ph\u1ea3n h\u1ed3i JSON trong m\u1ed9t tr\u00ecnh bao b\u1ecdc an to\u00e0n, ch\u1eb3ng h\u1ea1n nh\u01b0 \u201cwhile(1);\u201d ho\u1eb7c \u201cX-Content-Type-Options: nosniff.\u201d \u0110i\u1ec1u n\u00e0y ng\u0103n tr\u00ecnh duy\u1ec7t ph\u00e2n t\u00edch c\u00fa ph\u00e1p tr\u1ef1c ti\u1ebfp d\u1eef li\u1ec7u JSON, khi\u1ebfn nh\u1eefng k\u1ebb t\u1ea5n c\u00f4ng ti\u1ec1m n\u0103ng kh\u00f4ng th\u1ec3 truy c\u1eadp \u0111\u01b0\u1ee3c.<\/p>\n<\/li>\n<li>\n<p><strong>Chia s\u1ebb t\u00e0i nguy\u00ean ngu\u1ed3n g\u1ed1c ch\u00e9o (CORS):<\/strong> Vi\u1ec7c tri\u1ec3n khai c\u00e1c ch\u00ednh s\u00e1ch CORS c\u00f3 th\u1ec3 h\u1ea1n ch\u1ebf quy\u1ec1n truy c\u1eadp nhi\u1ec1u ngu\u1ed3n g\u1ed1c v\u00e0o d\u1eef li\u1ec7u JSON, ng\u0103n ch\u1eb7n hi\u1ec7u qu\u1ea3 nh\u1eefng k\u1ebb t\u1ea5n c\u00f4ng khai th\u00e1c quy\u1ec1n mi\u1ec5n tr\u1eeb ch\u00ednh s\u00e1ch c\u00f9ng ngu\u1ed3n g\u1ed1c.<\/p>\n<\/li>\n<li>\n<p><strong>X\u00e1c th\u1ef1c d\u1ef1a tr\u00ean m\u00e3 th\u00f4ng b\u00e1o:<\/strong> S\u1eed d\u1ee5ng c\u00e1c ph\u01b0\u01a1ng th\u1ee9c x\u00e1c th\u1ef1c d\u1ef1a tr\u00ean m\u00e3 th\u00f4ng b\u00e1o nh\u01b0 OAuth, c\u00f3 th\u1ec3 gi\u00fap b\u1ea3o v\u1ec7 kh\u1ecfi truy c\u1eadp tr\u00e1i ph\u00e9p v\u00e0 gi\u1ea3m thi\u1ec3u t\u00e1c \u0111\u1ed9ng c\u1ee7a vi\u1ec7c chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n JSON.<\/p>\n<\/li>\n<li>\n<p><strong>Ch\u00ednh s\u00e1ch b\u1ea3o m\u1eadt n\u1ed9i dung (CSP):<\/strong> B\u1eb1ng c\u00e1ch \u0111\u1ecbnh c\u1ea5u h\u00ecnh ti\u00eau \u0111\u1ec1 CSP, qu\u1ea3n tr\u1ecb vi\u00ean c\u00f3 th\u1ec3 ki\u1ec3m so\u00e1t mi\u1ec1n n\u00e0o \u0111\u01b0\u1ee3c ph\u00e9p th\u1ef1c thi t\u1eadp l\u1ec7nh tr\u00ean trang web c\u1ee7a h\u1ecd, gi\u1ea3m nguy c\u01a1 b\u1ecb chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n JSON.<\/p>\n<\/li>\n<\/ol>\n<h2>C\u00e1c \u0111\u1eb7c \u0111i\u1ec3m ch\u00ednh v\u00e0 c\u00e1c so s\u00e1nh kh\u00e1c v\u1edbi c\u00e1c thu\u1eadt ng\u1eef t\u01b0\u01a1ng t\u1ef1 d\u01b0\u1edbi d\u1ea1ng b\u1ea3ng v\u00e0 danh s\u00e1ch.<\/h2>\n<p>D\u01b0\u1edbi \u0111\u00e2y l\u00e0 b\u1ea3ng so s\u00e1nh vi\u1ec7c chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n JSON v\u1edbi c\u00e1c thu\u1eadt ng\u1eef t\u01b0\u01a1ng t\u1ef1 v\u00e0 kh\u00e1i ni\u1ec7m li\u00ean quan:<\/p>\n<table>\n<thead>\n<tr>\n<th>Thu\u1eadt ng\u1eef<\/th>\n<th>S\u1ef1 mi\u00eau t\u1ea3<\/th>\n<th>S\u1ef1 kh\u00e1c bi\u1ec7t<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n JSON<\/td>\n<td>L\u1ed7 h\u1ed5ng khai th\u00e1c quy\u1ec1n mi\u1ec5n tr\u1eeb ch\u00ednh s\u00e1ch c\u00f9ng ngu\u1ed3n g\u1ed1c \u0111\u1ed1i v\u1edbi c\u00e1c y\u00eau c\u1ea7u JSON.<\/td>\n<td>D\u00e0nh ri\u00eang cho ph\u1ea3n h\u1ed3i JSON, nh\u1eafm m\u1ee5c ti\u00eau c\u00e1c \u1ee9ng d\u1ee5ng web kh\u00f4ng c\u00f3 tr\u00ecnh bao b\u1ecdc ph\u1ea3n h\u1ed3i JSON an to\u00e0n.<\/td>\n<\/tr>\n<tr>\n<td>T\u1eadp l\u1ec7nh ch\u00e9o trang<\/td>\n<td>T\u1ea5n c\u00f4ng ti\u00eam c\u00e1c t\u1eadp l\u1ec7nh \u0111\u1ed9c h\u1ea1i v\u00e0o \u1ee9ng d\u1ee5ng web \u0111\u1ec3 \u0111\u00e1nh c\u1eafp d\u1eef li\u1ec7u ho\u1eb7c chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n phi\u00ean c\u1ee7a ng\u01b0\u1eddi d\u00f9ng.<\/td>\n<td>T\u1eadp trung v\u00e0o vi\u1ec7c ch\u00e8n c\u00e1c t\u1eadp l\u1ec7nh, trong khi vi\u1ec7c chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n JSON nh\u1eafm m\u1ee5c ti\u00eau truy c\u1eadp tr\u1ef1c ti\u1ebfp v\u00e0o d\u1eef li\u1ec7u JSON.<\/td>\n<\/tr>\n<tr>\n<td>Gi\u1ea3 m\u1ea1o y\u00eau c\u1ea7u tr\u00ean nhi\u1ec1u trang web (CSRF)<\/td>\n<td>T\u1ea5n c\u00f4ng l\u1eeba ng\u01b0\u1eddi d\u00f9ng th\u1ef1c hi\u1ec7n c\u00e1c h\u00e0nh \u0111\u1ed9ng kh\u00f4ng mong mu\u1ed1n tr\u00ean m\u1ed9t trang web \u0111\u00e1ng tin c\u1eady.<\/td>\n<td>CSRF t\u1eadp trung v\u00e0o h\u00e0nh \u0111\u1ed9ng c\u1ee7a ng\u01b0\u1eddi d\u00f9ng, trong khi vi\u1ec7c chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n JSON li\u00ean quan \u0111\u1ebfn vi\u1ec7c khai th\u00e1c ch\u00ednh s\u00e1ch c\u00f9ng ngu\u1ed3n g\u1ed1c cho JSON.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>C\u00e1c quan \u0111i\u1ec3m v\u00e0 c\u00f4ng ngh\u1ec7 trong t\u01b0\u01a1ng lai li\u00ean quan \u0111\u1ebfn vi\u1ec7c chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n JSON.<\/h2>\n<p>Khi c\u00f4ng ngh\u1ec7 web ph\u00e1t tri\u1ec3n, c\u00e1c r\u1ee7i ro ti\u1ec1m \u1ea9n li\u00ean quan \u0111\u1ebfn vi\u1ec7c chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n JSON c\u0169ng t\u0103ng theo. C\u00e1c nh\u00e0 ph\u00e1t tri\u1ec3n v\u00e0 chuy\u00ean gia b\u1ea3o m\u1eadt li\u00ean t\u1ee5c t\u00ecm ki\u1ebfm c\u00e1c ph\u01b0\u01a1ng ph\u00e1p s\u00e1ng t\u1ea1o \u0111\u1ec3 ng\u0103n ch\u1eb7n nh\u1eefng l\u1ed7 h\u1ed5ng nh\u01b0 v\u1eady. M\u1ed9t s\u1ed1 quan \u0111i\u1ec3m v\u00e0 c\u00f4ng ngh\u1ec7 ti\u1ec1m n\u0103ng trong t\u01b0\u01a1ng lai li\u00ean quan \u0111\u1ebfn vi\u1ec7c chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n JSON c\u00f3 th\u1ec3 bao g\u1ed3m:<\/p>\n<ol>\n<li>\n<p><strong>Ti\u00eau chu\u1ea9n h\u00f3a Tr\u00ecnh bao b\u1ecdc ph\u1ea3n h\u1ed3i JSON an to\u00e0n:<\/strong> Vi\u1ec7c \u00e1p d\u1ee5ng tr\u00ecnh bao b\u1ecdc ph\u1ea3n h\u1ed3i JSON an to\u00e0n \u0111\u01b0\u1ee3c ti\u00eau chu\u1ea9n h\u00f3a c\u00f3 th\u1ec3 gi\u00fap c\u00e1c nh\u00e0 ph\u00e1t tri\u1ec3n b\u1ea3o v\u1ec7 d\u1eef li\u1ec7u JSON tr\u01b0\u1edbc c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n d\u1ec5 d\u00e0ng h\u01a1n.<\/p>\n<\/li>\n<li>\n<p><strong>Ch\u00ednh s\u00e1ch c\u00f9ng ngu\u1ed3n g\u1ed1c \u0111\u01b0\u1ee3c c\u1ea3i thi\u1ec7n cho JSON:<\/strong> C\u00e1c c\u1ea3i ti\u1ebfn \u0111\u1ed1i v\u1edbi ch\u00ednh s\u00e1ch c\u00f9ng ngu\u1ed3n g\u1ed1c \u0111\u1ec3 \u0111\u00e1p \u1ee9ng c\u00e1c y\u00eau c\u1ea7u JSON m\u1ed9t c\u00e1ch to\u00e0n di\u1ec7n h\u01a1n c\u00f3 th\u1ec3 l\u00e0m gi\u1ea3m nguy c\u01a1 b\u1ecb chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n JSON.<\/p>\n<\/li>\n<li>\n<p><strong>Nh\u1eefng ti\u1ebfn b\u1ed9 trong T\u01b0\u1eddng l\u1eeda \u1ee9ng d\u1ee5ng web (WAF):<\/strong> T\u01b0\u1eddng l\u1eeda \u1ee9ng d\u1ee5ng web c\u00f3 th\u1ec3 k\u1ebft h\u1ee3p c\u00e1c thu\u1eadt to\u00e1n ph\u1ee9c t\u1ea1p h\u01a1n \u0111\u1ec3 ph\u00e1t hi\u1ec7n v\u00e0 ch\u1eb7n c\u00e1c n\u1ed7 l\u1ef1c chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n JSON m\u1ed9t c\u00e1ch hi\u1ec7u qu\u1ea3.<\/p>\n<\/li>\n<li>\n<p><strong>T\u0103ng c\u01b0\u1eddng s\u1eed d\u1ee5ng M\u00e3 th\u00f4ng b\u00e1o Web JSON (JWT):<\/strong> JWT cung c\u1ea5p m\u1ed9t c\u00e1ch truy\u1ec1n th\u00f4ng tin an to\u00e0n gi\u1eefa c\u00e1c b\u00ean d\u01b0\u1edbi d\u1ea1ng \u0111\u1ed1i t\u01b0\u1ee3ng JSON, khi\u1ebfn th\u00f4ng tin n\u00e0y \u00edt b\u1ecb t\u1ea5n c\u00f4ng h\u01a1n.<\/p>\n<\/li>\n<\/ol>\n<h2>C\u00e1ch m\u00e1y ch\u1ee7 proxy c\u00f3 th\u1ec3 \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng ho\u1eb7c li\u00ean quan \u0111\u1ebfn vi\u1ec7c chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n JSON.<\/h2>\n<p>M\u00e1y ch\u1ee7 proxy c\u00f3 th\u1ec3 \u0111\u00f3ng vai tr\u00f2 gi\u1ea3m thi\u1ec3u r\u1ee7i ro b\u1ecb chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n JSON b\u1eb1ng c\u00e1ch \u0111\u00f3ng vai tr\u00f2 trung gian gi\u1eefa m\u00e1y kh\u00e1ch v\u00e0 m\u00e1y ch\u1ee7 web. \u0110\u00e2y l\u00e0 c\u00e1ch m\u00e1y ch\u1ee7 proxy c\u00f3 th\u1ec3 li\u00ean quan \u0111\u1ebfn vi\u1ec7c chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n JSON:<\/p>\n<ol>\n<li>\n<p><strong>Y\u00eau c\u1ea7u l\u1ecdc:<\/strong> M\u00e1y ch\u1ee7 proxy c\u00f3 th\u1ec3 \u0111\u01b0\u1ee3c \u0111\u1ecbnh c\u1ea5u h\u00ecnh \u0111\u1ec3 l\u1ecdc c\u00e1c y\u00eau c\u1ea7u JSON \u0111\u1ebfn, ch\u1eb7n nh\u1eefng y\u00eau c\u1ea7u c\u00f3 d\u1ea5u hi\u1ec7u cho th\u1ea5y c\u00e1c n\u1ed7 l\u1ef1c chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n JSON ti\u1ec1m \u1ea9n.<\/p>\n<\/li>\n<li>\n<p><strong>G\u00f3i ph\u1ea3n h\u1ed3i:<\/strong> M\u00e1y ch\u1ee7 proxy c\u00f3 th\u1ec3 bao b\u1ecdc c\u00e1c ph\u1ea3n h\u1ed3i JSON b\u1eb1ng c\u00e1c ti\u00eau \u0111\u1ec1 ph\u1ea3n h\u1ed3i an to\u00e0n (v\u00ed d\u1ee5: \u201cwhile(1);\u201d) tr\u01b0\u1edbc khi g\u1eedi ch\u00fang \u0111\u1ebfn m\u00e1y kh\u00e1ch, cung c\u1ea5p th\u00eam m\u1ed9t l\u1edbp b\u1ea3o m\u1eadt.<\/p>\n<\/li>\n<li>\n<p><strong>Qu\u1ea3n l\u00fd CORS:<\/strong> M\u00e1y ch\u1ee7 proxy c\u00f3 th\u1ec3 th\u1ef1c thi c\u00e1c ch\u00ednh s\u00e1ch CORS nghi\u00eam ng\u1eb7t, ng\u0103n ch\u1eb7n truy c\u1eadp tr\u00e1i ph\u00e9p v\u00e0o d\u1eef li\u1ec7u JSON v\u00e0 gi\u1ea3m thi\u1ec3u nguy c\u01a1 b\u1ecb chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n JSON.<\/p>\n<\/li>\n<\/ol>\n<h2>Li\u00ean k\u1ebft li\u00ean quan<\/h2>\n<p>\u0110\u1ec3 bi\u1ebft th\u00eam th\u00f4ng tin v\u1ec1 vi\u1ec7c chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n JSON v\u00e0 b\u1ea3o m\u1eadt \u1ee9ng d\u1ee5ng web, b\u1ea1n c\u00f3 th\u1ec3 tham kh\u1ea3o c\u00e1c t\u00e0i nguy\u00ean sau:<\/p>\n<ol>\n<li><a href=\"https:\/\/owasp.org\/www-community\/attacks\/JSON_Hijacking\" target=\"_new\" rel=\"noopener nofollow\">Chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n JSON c\u1ee7a OWASP<\/a><\/li>\n<li><a href=\"https:\/\/www.jeremiahgrossman.com\/2006\/01\/advanced-web-attack-techniques-using.html\" target=\"_new\" rel=\"noopener nofollow\">Blog c\u1ee7a Jeremiah Grossman<\/a><\/li>\n<li><a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/Security\/Same-origin_policy\" target=\"_new\" rel=\"noopener nofollow\">M\u1ea1ng l\u01b0\u1edbi nh\u00e0 ph\u00e1t tri\u1ec3n Mozilla (MDN) - Ch\u00ednh s\u00e1ch c\u00f9ng ngu\u1ed3n g\u1ed1c<\/a><\/li>\n<\/ol>\n<p>H\u00e3y nh\u1edb r\u1eb1ng, vi\u1ec7c hi\u1ec3u v\u00e0 gi\u1ea3i quy\u1ebft c\u00e1c r\u1ee7i ro v\u1ec1 vi\u1ec7c chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n JSON l\u00e0 \u0111i\u1ec1u c\u1ea7n thi\u1ebft \u0111\u1ed1i v\u1edbi c\u00e1c nh\u00e0 ph\u00e1t tri\u1ec3n v\u00e0 qu\u1ea3n tr\u1ecb vi\u00ean \u1ee9ng d\u1ee5ng web \u0111\u1ec3 \u0111\u1ea3m b\u1ea3o t\u00ednh b\u1ea3o m\u1eadt v\u00e0 quy\u1ec1n ri\u00eang t\u01b0 cho d\u1eef li\u1ec7u c\u1ee7a ng\u01b0\u1eddi d\u00f9ng c\u1ee7a h\u1ecd. Vi\u1ec7c tri\u1ec3n khai c\u00e1c bi\u1ec7n ph\u00e1p th\u1ef1c h\u00e0nh t\u1ed1t nh\u1ea5t v\u00e0 lu\u00f4n c\u1eadp nh\u1eadt c\u00e1c bi\u1ec7n ph\u00e1p b\u1ea3o m\u1eadt m\u1edbi nh\u1ea5t s\u1ebd gi\u00fap b\u1ea3o v\u1ec7 kh\u1ecfi nh\u1eefng l\u1ed7 h\u1ed5ng nh\u01b0 v\u1eady.<\/p>","protected":false},"featured_media":477748,"menu_order":0,"template":"","meta":{"_acf_changed":false,"content-type":"","inline_featured_image":false,"footnotes":""},"class_list":["post-477747","wiki","type-wiki","status-publish","has-post-thumbnail","hentry"],"acf":{"faq_title":"Frequently Asked Questions about <mark>JSON Hijacking: An Encyclopedia Article<\/mark>","faq_items":[{"question":"What is JSON hijacking?","answer":"<p>JSON hijacking, also known as \"JavaScript Object Notation hijacking,\" is a security vulnerability that affects web applications using JSON as a data interchange format. It allows attackers to steal sensitive data from the victim's browser when the application lacks proper security measures.<\/p>"},{"question":"Who discovered JSON hijacking, and when was it first mentioned?","answer":"<p>JSON hijacking was first discovered and documented by Jeremiah Grossman in 2006. He brought attention to this vulnerability, highlighting the risks associated with using JSON without appropriate security measures.<\/p>"},{"question":"How does JSON hijacking work?","answer":"<p>JSON hijacking exploits the same-origin policy exemption for JSON requests. The attacker tricks the victim's browser into making an additional cross-origin request, which is intercepted by the attacker's server, granting them direct access to the JSON data.<\/p>"},{"question":"What are the key features of JSON hijacking?","answer":"<p>Key features include exploiting the same-origin policy, absence of secure JSON response wrappers, and targeting web applications using JSON endpoints for data exchange.<\/p>"},{"question":"What are the types of JSON hijacking?","answer":"<p>JSON hijacking can be classified into two types:<\/p><ol><li>Direct JSON hijacking: The attacker tricks the victim's browser to send JSON directly to the attacker's server.<\/li><li>JSONP hijacking: The attacker manipulates the JSONP callback function to extract JSON data.<\/li><\/ol>"},{"question":"How can JSON hijacking be mitigated?","answer":"<p>To prevent JSON hijacking, developers can implement secure JSON response wrappers, utilize CORS policies, employ token-based authentication, and configure Content Security Policy (CSP) headers.<\/p>"},{"question":"How does JSON hijacking differ from Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF)?","answer":"<p>JSON hijacking targets the direct access to JSON data exploiting same-origin policy. XSS injects malicious scripts into web apps, while CSRF tricks users into performing unwanted actions on trusted sites.<\/p>"},{"question":"What are the future perspectives and technologies related to JSON hijacking?","answer":"<p>Future developments may include standardized secure JSON response wrappers, improved same-origin policy for JSON, and increased adoption of JSON Web Tokens (JWT) for secure data transmission.<\/p>"},{"question":"How can proxy servers help protect against JSON hijacking?","answer":"<p>Proxy servers can act as intermediaries between clients and web servers, filtering requests, wrapping responses securely, and managing CORS to minimize the risk of JSON hijacking.<\/p>"}]},"_links":{"self":[{"href":"https:\/\/oneproxy.pro\/vn\/wp-json\/wp\/v2\/wiki\/477747","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/oneproxy.pro\/vn\/wp-json\/wp\/v2\/wiki"}],"about":[{"href":"https:\/\/oneproxy.pro\/vn\/wp-json\/wp\/v2\/types\/wiki"}],"version-history":[{"count":0,"href":"https:\/\/oneproxy.pro\/vn\/wp-json\/wp\/v2\/wiki\/477747\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/oneproxy.pro\/vn\/wp-json\/wp\/v2\/media\/477748"}],"wp:attachment":[{"href":"https:\/\/oneproxy.pro\/vn\/wp-json\/wp\/v2\/media?parent=477747"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}