Can I still report JSONP endpoints that let me set the CallBack I want?
Or after two years no more users can be attacked with this scenario?
I think you’d need to supply a PoC that demonstrates that the vulnerability still works and can affect a user.
According to this writeup, Flash was patched in 2014 to fix that specific issue: https://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
Thanks For Reply Andy,
But Now I have learned a Lesson, never report Rosetta Flash Again,
Never Do It
If you can influence the way the jsonp endoint is used it might be exploitable. For example if a web page calls a jsonp service to get information about a location.
Let’s say loading (1) triggers a jsonp call to (2)
If the jsonp URL (2) is built up by appending everything after ‘=’ in the querystring (‘countryname’) from (1) you might get:
If the parsing of the countryname parameter in (1) doesn’t work correctly or if no encoding encode/escape is applied when building (2) the second callback parameter can, if you’re lucky, overwrite the first one, and you have a reflected xss.
Also, the jsonp data might contain tokens or other secret information only available to an authenticated user (i.e. if login cookies are available in the request) that you can load using a script tag and then just read.