Why json hijacking can be prevented using POST method?

Question

I came across the following ASP.NET MVC error, when returning json in a Get method:

This request has been blocked because sensitive information could be disclosed to third party web sites when this is used in a GET request. To allow GET requests, set JsonRequestBehavior to AllowGet.

Apparently this vulnerability is called json Hijacking. This article explains that a website could be exploited when returning json using Get. But returning json in a Post method is safe.

Why changing Get to Post prevents this attack?

Answer 1

I was really surprised to see that so many people is trying to prove that JSON Hijacking is still a security issue. (Of course it is if you still use Firefox 2, Opera 9, or Safari 3). None of the modern browsers have this issue for a long time. The article you referred in your question is written in 2009. You can check this post for more information about how the issue was fixed. And you do not need to worry about JsonRequestBehavior just allow get and forget.

UPDATE

Sorry, I have not read the bounty question. Why changing request to post prevents json hijacking?

You can find a article here, that describes the JSON Hijacking attack steps. It goes as follow:

• Step 1: Get an authenticated user to visit a malicious page.

• Step 2: The malicious page will try and access sensitive data from the application that the user is logged into.This can be done by embedding a script tag in an HTML page since the same-origin policy does not apply to script tags.

  <script src="http://<jsonsite>/json_server.php"></script>

  The browser will make a GET request to json_server.php and any authentication cookies of the user will be sent along with the request.

  ...

You can think this scenario like that, user visits www.yoursite.com and get authenticated. After that user leaved your site and go to a malicious site. If the malicious site has a <script src="http://www.yoursite.com/some_endpoint"></script> tag, browser will make a GET request. If returned data is a JSON that site can get the sensitive data by object prototype setter. (Remember attackers will try to use SCRIPT tag not an AJAX request because same-origin policy does not apply to script tags. See Cross-origin network access rules.)

But if you change the request type of the http://www.yoursite.com/some_endpoint from GET to POST, when the browser tries to access it, your server will reject it.

Also i am leaving a old MVC Framework book here that explains concept.

Answer 2

Having the request as a POST will prevent any request coming form other domains based on CORS policy unless you configure your server to allow it, which turns this issue to another thing. GET requests on the other hand are allowed by browsers to retrieve resources, like javascript that might have sensitive data from your domain and it happen to be an array not an object.

Updated answer:

You will not actually find a source tells you how GET, POST requests are different for JSON Hijacking attacks. The difference actually is how web servers and browsers are dealing with those requests. JSON hijacking vulnerability is about malicious websites using an endpoint in your website/app that provides JSON data and response to a GET request (a request that by default allow resources, e.g js, images, text files to be download), if you change it to POST, they will not be able to include <script> that do a POST request from the src attribute, even inside the script tag POST requests will be prevented by CORS policy.

In the modern browser era we no longer have this type of vulnerability (at least in the form mentioned in the discovery article by Jeremiah Grossman) because of CORS policy.

This also referenced in other related questions