Json Hijacking with Ajax Jquery post request

Question

Yesterday, I read some nice articles about how to prevent Json Hijacking with Asp.Net MVC. The rule is: never send sensible data in json format over a get request. With a simple search on google, you can easily learn how to define a script that will be use to extract data from another use with the help of his auth cookie.

But after reading all these articles, I don't know why it's not possible to do Json Hijacking with Ajax Jquery post request. I read that Ajax requests are subject to the same origin policy but JQuery have a property to be able to do cross-domain request.

In this case, is it possible to do Json Hijacking with a script using $.postJSON on the document ready event? If yes or no, could you explain my exactly why?

Here is a simple bunch of code to do what I'm thinking:

$.postJSON = function (url, data, callback) {
   $.post(url, data, callback, "json");
};

<script>
    $(function(){
       $.postJSON("/VulnerableSite/ControllerName/ActionName", 
         { some data parameters }, function() {
         // Code here to send to the bad guy the data of the hacked user. 
         }
    });
</script>

Thank you very much.

Answer 1

but JQuery have a property to be able to do cross-domain request.

Yeah, but it works only with GET requests. You cannot do cross domain AJAX calls with POST requests. Also most modern browsers have already fixed the possibility to override the __defineSetter__ method. The idea of this attack relies on including a <script> tag pointing to your website from a malicious site. But the browser sends a GET request in order to retrieve this script and not POST. That's why it is safer to use POST to transmit sensitive information with JSON.