Episode Details
Back to Episodes
Course 38 - Web Security Known Web Attacks | Episode 2: RCE Filter Bypassing and JSON Hijacking
Published 1 week, 2 days ago
Description
In this lesson, you’ll learn about: bypassing weak RCE filters and understanding JSON hijacking (legacy browser vulnerability)1. Why RCE Filters Fail🔹 Common mistake:
Blacklisting single characters is not real security2. Alternative Command Operators🔹 Even if ; is blocked, others exist:
There are multiple ways to chain commands, not just one3. Encoding to Bypass Filters🔹 Web applications often filter raw characters🔹 Bypass technique:
Filters that don’t normalize input can be bypassed easily4. Logic-Based Exploitation🔹 Operator behavior matters:
Exploitation is about logic control, not just syntax5. Core Defense Principle🔹 Problem:
Eliminate the sink, not just sanitize input6. What is JSON Hijacking🔹 Definition:
It abuses authenticated requests + weak browser protections7. How JSON Hijacking Works (Conceptually)🔹 Key idea:
Same-Origin Policy historically did not fully protect script loading8. The Role of JavaScript InternalsUsing JavaScript:🔹 Technique:
Attackers abused how JavaScript handled object properties9. Why JSON Hijacking Worked (Historically)🔹 Root causes:
It was a browser + API design flaw combination10. Why It’s Mostly Fixed Today🔹 Modern protections:
This is now mostly a legacy vulnerability11. How to Prevent JSON Hijacking🔹 Best practices:
Modern API design prevents this class of attack12. Big Security Lessons🔹 From RCE:
Security failures often come from incorrect assumptionsKey Takeaways
- Developers block specific characters (like ;)
- Attack surface is much larger than one delimiter
Blacklisting single characters is not real security2. Alternative Command Operators🔹 Even if ; is blocked, others exist:
- && → execute if first succeeds
- || → execute if first fails
- | → pipe output
- & → background execution
There are multiple ways to chain commands, not just one3. Encoding to Bypass Filters🔹 Web applications often filter raw characters🔹 Bypass technique:
- Use URL encoding
- && → %26%26
Filters that don’t normalize input can be bypassed easily4. Logic-Based Exploitation🔹 Operator behavior matters:
- && → requires success
- || → requires failure
- Force first command to fail → trigger second
Exploitation is about logic control, not just syntax5. Core Defense Principle🔹 Problem:
- Input filtering ≠ protection
- Never pass user input to system commands
Eliminate the sink, not just sanitize input6. What is JSON Hijacking🔹 Definition:
- A client-side data theft attack exploiting browser behavior
- Similar to Cross-Site Request Forgery (CSRF)
It abuses authenticated requests + weak browser protections7. How JSON Hijacking Works (Conceptually)🔹 Key idea:
- Victim is logged in
- Attacker loads sensitive API via
- Browser sends cookies automatically
- Data is exposed to attacker-controlled logic
Same-Origin Policy historically did not fully protect script loading8. The Role of JavaScript InternalsUsing JavaScript:🔹 Technique:
- Override object behavior (e.g., setters)
- Intercept sensitive values during parsing
Attackers abused how JavaScript handled object properties9. Why JSON Hijacking Worked (Historically)🔹 Root causes:
- Weak SOP enforcement for scripts
- Browsers executing JSON as JavaScript
- Sensitive data returned as raw JSON arrays
It was a browser + API design flaw combination10. Why It’s Mostly Fixed Today🔹 Modern protections:
- Strict Same-Origin Policy
- CORS enforcement
- JSON responses require proper headers
- Safer browser engines
This is now mostly a legacy vulnerability11. How to Prevent JSON Hijacking🔹 Best practices:
- Use proper Content-Type: application/json
- Avoid returning raw arrays (wrap in objects)
- Require authentication headers (not just cookies)
- Implement CSRF protections
Modern API design prevents this class of attack12. Big Security Lessons🔹 From RCE:
- Never trust user input
- Avoid system command execution
- Don’t rely on browser behavior
- Always enforce server-side protections
Security failures often come from incorrect assumptionsKey Takeaways
- RCE filters are easily bypassed with alternat