Firefox 浏览器附加组件
  • 扩展
  • 主题
    • 适用于 Firefox
    • 字典和语言包
    • 其他浏览器网站
    • 适用于 Android 的附加组件
登录
JSONPeek 预览

JSONPeek 作者: Hacks and Hops

Passively identify JSONP endpoints as you browse with the ability to send suspected endpoints to an exploit server for validation.

0 (0 reviews)0 (0 reviews)
12 个用户12 个用户
您需要 Firefox 来使用此扩展
下载 Firefox 并安装扩展
下载文件

扩展元数据

屏幕截图
The JSONPeek popupThe exploit server testing a provided URLAn alert box firing which indicates the endpoint is in fact JSONP
关于此扩展
Code
This addon is free and open-source software (FOSS) all code can be found here: https://github.com/ACK-J/JSONPeek/
Please report your bugs or feature requests in a GitHub issue instead of in a review.

Test if it works!
https://www.w3schools.com/js/tryit.asp?filename=tryjson_jsonp_callback

This addon passively listens for network requests which include GET parameters commonly used by JSONP endpoints. The extension popup will show you any of these detected requests. Clicking on a request in the popup will open the JSONP endpoint in a new tab for you to play around with. Additionally, there is an "exploit" button that sends the suspected JSONP url to my webserver to check if it is exploitable. The source code for the webserver can be found HERE. Multiple proof of concepts are attempted with check marks indicating success and an X indicating failure.

Why do I want to find JSONP endpoints?
The most common way to bypass a content security policy (CSP) is by finding a JSONP endpoint on a trusted domain within the CSP. JSONP takes advantage of the fact that the same-origin policy does not prevent execution of external <script> tags. Usually, a <script src="some/js/file.js"> tag represents a static script file. But you can just as well create a dynamic API endpoint, say /userdata, and have it accept a query parameter (such as ?callback=CALLBACK) which dynamically specifies a JavaScript function.

When would I need a CSP Bypass?
A Content Security Policy (CSP) bypass may be necessary in specific scenarios, typically related to web security testing or development. CSP is a security feature that helps prevent a range of attacks like Cross-Site Scripting (XSS), data injection attacks, and clickjacking by controlling which resources the browser is allowed to load and execute.

Donations
  • Monero Address: 89jYJvX3CaFNv1T6mhg69wK5dMQJSF3aG2AYRNU1ZSo6WbccGtJN7TNMAf39vrmKNR6zXUKxJVABggR4a8cZDGST11Q4yS8
评分 0(1 位用户)
登录以评价此扩展
目前尚无评分

已保存星级评分

5
0
4
0
3
0
2
0
1
0
尚无评价
权限与数据详细了解

必要权限:

  • 获取浏览器标签页
  • 访问您在所有网站的数据
更多信息
附加组件链接
  • 用户支持网站
版本
1.3
大小
78.46 KB
上次更新
10 天前 (2025年7月28日)
相关分类
  • 网页开发
  • 隐私和安全
许可证
仅 GNU 通用公共许可证 v3.0
版本历史
  • 查看所有版本
添加到收藏集
举报此附加组件
1.3 的发布说明
  • removed reliance on jsonpeek.com
Hacks and Hops 制作的更多扩展
  • 目前尚无评分

  • 目前尚无评分

  • 目前尚无评分

  • 目前尚无评分

  • 目前尚无评分

  • 目前尚无评分

转至 Mozilla 主页

附加组件

  • 关于
  • Firefox 附加组件博客
  • 扩展工坊
  • 开发者中心
  • 开发者政策
  • 社区博客
  • 论坛
  • 报告缺陷
  • 评价指南

浏览器

  • Desktop
  • Mobile
  • Enterprise

产品

  • Browsers
  • VPN
  • Relay
  • Monitor
  • Pocket
  • Bluesky (@firefox.com)
  • Instagram (Firefox)
  • YouTube (firefoxchannel)
  • 隐私
  • Cookie
  • 法律

除非另有注明,否则本网站上的内容可按知识共享 署名-相同方式共享 3.0 或更新版本使用。