CyberCode Academy

Course 38 - Web Security Known Web Attacks | Episode 2: RCE Filter Bypassing and JSON Hijacking


Listen Later

In this lesson, you’ll learn about: bypassing weak RCE filters and understanding JSON hijacking (legacy browser vulnerability)1. Why RCE Filters Fail🔹 Common mistake:
  • Developers block specific characters (like ;)
🔹 Problem:
  • Attack surface is much larger than one delimiter
👉 Key Insight
Blacklisting single characters is not real security2. Alternative Command Operators🔹 Even if ; is blocked, others exist:
  • && → execute if first succeeds
  • || → execute if first fails
  • | → pipe output
  • & → background execution
👉 Key Insight
There are multiple ways to chain commands, not just one3. Encoding to Bypass Filters🔹 Web applications often filter raw characters🔹 Bypass technique:
  • Use URL encoding
🔹 Example:
  • && → %26%26
👉 Key Insight
Filters that don’t normalize input can be bypassed easily4. Logic-Based Exploitation🔹 Operator behavior matters:
  • && → requires success
  • || → requires failure
🔹 Attacker strategy:
  • Force first command to fail → trigger second
👉 Key Insight
Exploitation is about logic control, not just syntax5. Core Defense Principle🔹 Problem:
  • Input filtering ≠ protection
🔹 Real solution:
  • Never pass user input to system commands
👉 Key Insight
Eliminate the sink, not just sanitize input6. What is JSON Hijacking🔹 Definition:
  • A client-side data theft attack exploiting browser behavior
🔹 Related concept:
  • Similar to Cross-Site Request Forgery (CSRF)
👉 Key Insight
It abuses authenticated requests + weak browser protections7. How JSON Hijacking Works (Conceptually)🔹 Key idea:
🔹 Attack flow:
  1. Victim is logged in
  2. Attacker loads sensitive API via
  3. Browser sends cookies automatically
  4. Data is exposed to attacker-controlled logic
👉 Key Insight
Same-Origin Policy historically did not fully protect script loading8. The Role of JavaScript InternalsUsing JavaScript:🔹 Technique:
  • Override object behavior (e.g., setters)
  • Intercept sensitive values during parsing
👉 Key Insight
Attackers abused how JavaScript handled object properties9. Why JSON Hijacking Worked (Historically)🔹 Root causes:
  • Weak SOP enforcement for scripts
  • Browsers executing JSON as JavaScript
  • Sensitive data returned as raw JSON arrays
👉 Key Insight
It was a browser + API design flaw combination10. Why It’s Mostly Fixed Today🔹 Modern protections:
  • Strict Same-Origin Policy
  • CORS enforcement
  • JSON responses require proper headers
  • Safer browser engines
👉 Key Insight
This is now mostly a legacy vulnerability11. How to Prevent JSON Hijacking🔹 Best practices:
  • Use proper Content-Type: application/json
  • Avoid returning raw arrays (wrap in objects)
  • Require authentication headers (not just cookies)
  • Implement CSRF protections
👉 Key Insight
Modern API design prevents this class of attack12. Big Security Lessons🔹 From RCE:
  • Never trust user input
  • Avoid system command execution
🔹 From JSON Hijacking:
  • Don’t rely on browser behavior
  • Always enforce server-side protections
👉 Key Insight
Security failures often come from incorrect assumptionsKey Takeaways
  • RCE filters are easily bypassed with alternative operators and encoding
  • Logical execution flow is key to exploitation
  • JSON hijacking exploited legacy browser behavior
  • Modern defenses have largely mitigated it
  • Secure design > reactive filtering
Big PictureYou are learning:👉 How attackers bypass naive defenses
👉 How browser and server interactions can be abused
👉 How modern security practices evolved from past vulnerabilitiesMental ModelWeak filter → bypass → command execution
Weak browser policy → data exposure → session abuse

You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
...more
View all episodesView all episodes
Download on the App Store

CyberCode AcademyBy CyberCode Academy