为什么人们把code喜欢&QUOT;扔1; &LT;不要作恶&GT;&QUOT;和&QUOT;对于(;;);&QUOT;在JSON响应的面前? [英] Why do people put code like "throw 1; <dont be evil>" and "for(;;);" in front of json responses?
问题描述
可能重复:
为什么有,而(1);在XmlHtt prequest响应?
<一href="http://stackoverflow.com/questions/2669690/why-does-google-$p$ppend-while1-to-their-json-responses">Why做谷歌prePEND,而(1);他们的JSON响应?
谷歌返回JSON是这样的:
掷1; &LT;不要作恶&GT; {FOO:巴}
和Facebook的阿贾克斯JSON是这样的:
为(;;); {错误:0,errorSummary:}
- 为什么他们把code,将停止 执行并使得无效的JSON?
- 他们怎么解析它,如果它是无效的 如果你想EVAL会崩溃 它?
- 请他们从删除它 字符串(好像贵)?
- 是否有任何的安全优势 这个?
在回应这是出于安全方面的:
如果在刮板上的另一个领域,他们将不得不使用剧本标签来获取数据,因为XHR将无法正常工作跨域。即使没有为(;;); 如何将攻击者获得数据?这不是分配给这样就不会只是被垃圾收集的变量,因为没有提到呢?
基本上得到数据跨域他们必须做的
&LT;脚本SRC =http://target.com/json.js&GT;&LT; / SCRIPT&GT;
但是,即使没有崩溃脚本prepended攻击者不能使用任何的JSON数据中没有它被分配到可全局访问(这是不是在这种情况下)的变量。飞机坠毁code用途不同不执行任何操作,因为即使没有它,他们必须使用服务器片面脚本使用在其网站上的数据。
即使没有
为(;;);如何将攻击者获取数据。
攻击是基于改变的内置类型,特别是对象和阵列,由行为改变其构造函数或其原型。然后,当有针对性的JSON使用 {...} 或 [...] 结构,他们将攻击者自己的版本,这些对象的,具有潜在的,意外的行为。
例如,你可以破解一个setter财产成对象,这将背叛写在对象文本中的值:
的Object.prototype .__ defineSetter __('X',函数(X){
警报(哈我偷!+ X);
});
然后当&LT;脚本&GT; 指出,在一些JSON所使用的属性名称:
{X:你好}
值你好会被泄露。
的方式,数组和对象字面导致setter方法被称为是有争议的。火狐删除版本3.5的行为,以应对高知名度网站公开的攻击。然而,在写这篇文章时Safari浏览器(4)和Chrome(5)仍容易受到此。
另一种攻击,所有的浏览器现在禁止了重新定义构造函数:
阵列=功能(){
警报(我偷'+本);
};
[1,2,3]
和现在,IE8的执行性能(基于ECMAScript第五版标准 Object.defineProperty )目前不会对对象的工作。原型或 Array.prototype 。
但是以及保护过去浏览器,它可以是扩展的JavaScript导致类似样在将来的更潜在的泄漏,而在这种情况下,糠应该防止那些太
Possible Duplicate:
Why have "while(1);" in XmlHttpRequest response?
Why does Google prepend while(1); to their JSON responses?
Google returns json like this:
throw 1; <dont be evil> { foo: bar}
and Facebooks ajax has json like this:
for(;;); {"error":0,"errorSummary": ""}
- Why do they put code that would stop execution and makes invalid json?
- How do they parse it if it's invalid and would crash if you tried to eval it?
- Do they just remove it from the string (seems expensive)?
- Are there any security advantages to this?
In response to it being for security purposes:
If the scraper is on another domain they would have to use a script tag to get the data because XHR won't work cross-domain. Even without the for(;;); how would the attacker get the data? It's not assigned to a variable so wouldn't it just be garbage collected because there's no references to it?
Basically to get the data cross domain they would have to do
<script src="http://target.com/json.js"></script>
But even without the crash script prepended the attacker can't use any of the Json data without it being assigned to a variable that you can access globally (it isn't in these cases). The crash code effectivly does nothing because even without it they have to use server sided scripting to use the data on their site.
Even without the
for(;;);how would the attacker get the data?
Attacks are based on altering the behaviour of the built-in types, in particular Object and Array, by altering their constructor function or its prototype. Then when the targeted JSON uses a {...} or [...] construct, they'll be the attacker's own versions of those objects, with potentially-unexpected behaviour.
For example, you can hack a setter-property into Object, that would betray the values written in object literals:
Object.prototype.__defineSetter__('x', function(x) {
alert('Ha! I steal '+x);
});
Then when a <script> was pointed at some JSON that used that property name:
{"x": "hello"}
the value "hello" would be leaked.
The way that array and object literals cause setters to be called is controversial. Firefox removed the behaviour in version 3.5, in response to publicised attacks on high-profile web sites. However at the time of writing Safari (4) and Chrome (5) are still vulnerable to this.
Another attack that all browsers now disallow was to redefine constructor functions:
Array= function() {
alert('I steal '+this);
};
[1, 2, 3]
And for now, IE8's implementation of properties (based on the ECMAScript Fifth Edition standard and Object.defineProperty) currently does not work on Object.prototype or Array.prototype.
But as well as protecting past browsers, it may be that extensions to JavaScript cause more potential leaks of a similar kind in future, and in that case chaff should protect against those too.
这篇关于为什么人们把code喜欢&QUOT;扔1; &LT;不要作恶&GT;&QUOT;和&QUOT;对于(;;);&QUOT;在JSON响应的面前?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
