Facebook突然对JSON劫持安全吗? [英] Is facebook suddenly safe against JSON hijacking?
问题描述
众所周知,
请注意,现在,内容类型是:
content-type:application / octet-stream
但他们为什么要这样做?它现在安全吗? (我知道它适用于较旧的浏览器,但仍然......)。
我知道 [..] 的ctor是有问题的。但是 {..} 的ctor呢?
问题:
为什么facebook会删除无限循环?他们现在如何减轻json劫持?
我的意思是,如果< script> 标签,现在会发生什么会尝试获取getFiriends列表吗? (在一个非常古老的浏览器中)
NB
值得一提的是还有其他回复 {..} 的无限循环!!
:
此处此处(对象,无限循环)
此攻击(将JSON加载为< script> )基于以下几种方法:
1)JSON本身就是有效的JS(这就是(;;)的更改),这也意味着它可能不会以 {因为这是一个块语句,它不包含键值对:
{a:1} //无效的JS,有效的JSON *
[{a:1}] //有效的JS,有效的JSON
2)浏览器很旧(<占用户总数的1%),因为使用文字构建数组不会在较新的浏览器中调用数组函数(对于那些人来说ES5支持是一个很好的估计) 。
因此,在这种情况下无法进行此攻击,因为您提到的API会返回一个对象,因此(1)未完全填充。即使API返回一个数组,理论上只有极少数人会被劫持:
1)浏览器必须非常老,然后浏览器本身可能是一个更大的风险,浏览器甚至必须支持JavaScript。
2)客户端必须访问恶意网站,这很可能是由于垃圾邮件各种级别的过滤器/黑名单。
3)用户在访问恶意网站时必须登录Facebook。
值得一提的是还有其他无限循环的回复
我想这是一般都是过去的事情。在所有API都被重构/迁移之前需要一段时间。我认为如果按照Facebook的规模考虑,添加/删除这5个字符会产生很大的开销。
*:如果你尝试加载 {a:1} 你会发现它没有抛出一个SyntaxError!然而,这既不是有效的JSON,也不是创建一个对象(它在blocn语句中标记为1)。
It is well known that Facebook uses javascript responses (JS,not json) which is prefixes with while(1) & for(;;); in order to prevent script tag to steal the json data when old browsers are being overloaded with their Array ctor & Object ctor.
But from a recent try , it seems that this is not the case anymore (for friends list , which i'm sure it was used)
Notice that now , the content-type is :
content-type: application/octet-stream
But why did they do it ? is it now safe ? ( I know that it's for older browsers , but still...).
I know that [..]'s ctor was problematic. But what about {..}'s ctor ?
Question:
Why did facebook remove the infinite-loop ? and how do they now mitigate against json hijacking ?
I mean , what happens now if <script> tag will try to fetch the "getFiriends "list ? ( in a very old browser)
NB
Worth to mention that there are still others responses with infinite loop for {..} !!
:
Also in here ( Object , with infinite loop)
This attack (loading JSON as a <script>) is based on a few assumtions:
1) The JSON is itself valid JS (thats what the for(;;) changes), which also means that it may not start with a { as that is a block statement, which does not contain key-value pairs:
{ "a": 1 } // invalid JS, valid JSON *
[{ "a": 1 }] // valid JS, valid JSON
2) The browser is very old (< 1% of the total users), as constructing arrays with the literal does not call the Array function in newer browsers (ES5 support is a good estimation for those).
Therefore this attack isn't possible in this case, as the API you mentioned returns an object, therefore (1) is not fullfilled. And even if the API would return an array, only a very small amount of people could theoretically be hijacked:
1) The browser has to be very old, and then the browser itself is probably a bigger risk, and the browser has to even support JavaScript.
2) The client has to visit a malicious site, which is very unlikely due to spam filters / blacklists at various levels.
3) The user has to be logged in at facebook while visiting the malicious website.
Worth to mention that there are still others responses with infinite loop
I guess this is generally a thing of the past. It will take a while until all APIs got refactored / migrated. I assume adding/removing these 5 characters causes a significant overhead if you think at Facebook's scale.
*: If you try to load { a: 1 } you'll find out that it does not throw a SyntaxError! However this is neither valid JSON, nor does it create an object (it's a labelled 1 inside of a blocn statement).
这篇关于Facebook突然对JSON劫持安全吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
