Same origin method execution (SOME)
Description
Manual confirmation is required for this alert.
Same Origin Method Execution (SOME) is a client-side vulnerability that exploits JSONP or callback endpoints to execute arbitrary JavaScript methods within the context of the vulnerable domain. Attackers craft malicious URLs that force victims to invoke existing JavaScript functions on the target site, potentially bypassing security controls or manipulating application state. This attack leverages the browser's same-origin policy by executing legitimate methods in unintended ways through controllable callback parameters.
Remediation
Implement the following mitigations to prevent SOME attacks:
1. Use Static Callbacks: Avoid accepting user-controlled callback function names. Use predefined, static callback names instead.
// Vulnerable:
response = request.getParameter("callback") + "(" + jsonData + ")";
// Secure:
response = "predefinedCallback(" + jsonData + ")";2. Implement Callback Whitelisting: If dynamic callbacks are necessary, validate against a strict whitelist of allowed function names using alphanumeric-only patterns.
// Whitelist validation example:
String callback = request.getParameter("callback");
if (callback != null && callback.matches("^[a-zA-Z0-9_]+$")) {
response = callback + "(" + jsonData + ")";
} else {
// Reject or use default callback
response = "defaultCallback(" + jsonData + ")";
}3. Use CORS Instead of JSONP: Migrate from JSONP to Cross-Origin Resource Sharing (CORS) for cross-domain communication, which provides better security controls.
4. Implement Content Security Policy: Deploy CSP headers to restrict script execution and mitigate exploitation impact.
5. Add Anti-CSRF Tokens: Require authentication tokens for sensitive callback endpoints to prevent unauthorized invocation.