JSONP Callback Validation

Easy+50 XPA03:2021 InjectionCWE-79

XSSJSONPCallback

Scenario

Your API supports JSONP by wrapping the JSON response in a caller-supplied callback name: callbackName({...}).

The validateCallback function currently accepts any string, allowing an attacker to supply );alert(1);// as the callback name.

This causes the rendered response to execute );alert(1);//({...}) in any browser that loads the JSONP endpoint, resulting in XSS.

JSONP is still widely used in legacy APIs. Without strict callback validation any XSS filter can be bypassed because the payload is served from a trusted first-party domain.

Your Tasks

Fix validateCallback to only accept valid JavaScript identifier characters.
Allow callbacks matching /^[a-zA-Z_$][a-zA-Z0-9_$.]*$/ (dots permitted for namespaced callbacks like jQuery.fn).
Throw an error with message 'Invalid callback' for any other input; return the callback unchanged if valid.

Examples

Example 1 — Malicious callback (bug)

validateCallback(');alert(1);//')
// returns ');alert(1);//' — XSS!

Example 2 — Blocked (fix)

validateCallback(');alert(1);//')
// throws Error('Invalid callback')

Constraints

›Throw exactly 'Invalid callback' — no other message.
›Valid callbacks may contain dots (e.g. jQuery.ajax.success).
›Empty strings must also be rejected.

Hint

References

https://cheatsheetseries.owasp.org/cheatsheets/AJAX_Security_Cheat_Sheet.html https://owasp.org/www-project-top-ten/2021/A03_2021-Injection https://portswigger.net/web-security/cross-site-scripting/contexts/lab-jsonp-callback-xss

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run