哪种json答案以)]}'开头 [英] What kind of json answer starts with )]}'
问题描述
我注意到,某些json查询(特别是在Google服务中)返回一个特殊的"json",它以一个关闭序列开头,然后只是一个数组结构,用方括号指定.
I have noticed that some json queries, particularly in google services, return a peculiar "json" which starts with a closing sequence and then it has just a array structure, specified with square braces.
这是哪种ajax?是否有一些库,js或py进行解析?
What kind of ajax is this? Is there some library, js or py, parsing it?
举一个更具体的例子:
>>> import json
>>> import urllib2
>>> url=urllib2.urlopen("https://plus.google.com/u/0/_/socialgraph/lookup/visible/?o=%5Bnull%2Cnull%2C%22114423404493486623226%22%5D")
>>> url.readline()
")]}'\n"
>>> url.readline()
'\n'
>>> url.readline()
'[["tsg.lac",[]\n'
,然后是一个典型的数组.因此,完整的答案是两行"header"然后是一个数组,但是"header"非常令人困惑,我想知道它是否来自标准的ajax库,或者仅仅是这些家伙的想法.
and from there, a typical array follows. The full answer is thus a two line "header" and then an array, but the "header" is very puzzling and I wonder if it comes from an standard ajax library or it is just an idea of these guys.
啊,如果您使用Chrome的开发人员工具来查看实际查询,就会看到相同的内容.因此,我被认为是一个实际的答案,而不是查询的人工产物.
Ah, if you use the developer tools of Chrome to look into the actual queries, you see the same. So I am induced to believe that it is an actual answer and not an artifact of the query.
推荐答案
Using invalid JSON at the beginning of a message is one way to defeat a combination of CSRF and a tricky attack on JavaScript's array constructor.
如果该网址返回了有效的,未包装的数组,那么您访问的任何网站都可能会使Array函数超载,在页面上放置/注入对该Google+网址的脚本引用,并在您简单地加载其私密/安全数据时页面.
If that URL returned a valid, unwrapped array, then any site you visited could overload the Array function, place/inject a script reference to that Google+ URL on the page, and harvest your private/secure data when you simply loaded their page.
Google自己的客户端代码可以在解析无效的JSON之前将其删除,因为它使用的是传统的XHR请求,从而使他们可以访问原始响应.远程站点只能通过脚本元素注入来访问它,并且没有机会在浏览器解析数据之前对其进行预处理.后者类似于JSONP的工作方式,其中Array构造函数无意间成为了回调函数.
Google's own client-side code can strip that invalid JSON out before parsing it, because it's using a traditional XHR request which gives them access to the raw response. A remote site can only access it via script element injection and has no chance to pre-process the data before the browser parses it. The latter is similar to how JSONP works, with the Array constructor unwittingly becoming the callback function.
您会在许多知名网站上看到类似的方法,这些网站会返回JSON数组以响应GET请求.例如,Facebook用for (;;);填充它们.如果您尝试在这些Facebook API上使用CSRF攻击,则浏览器仅在远程站点上输入一个无限循环,并引用Facebook的私有API.在Facebook.com上,他们的客户端代码可以在运行JSON.parse()之前将其剥离.
You'll see a similar approach on many high profile sites that return JSON arrays in response to GET requests. Facebook pads theirs with for (;;);, for example. If you try to use the CSRF attack on those Facebook APIs, the browser just enters an infinite loop on the remote site making reference to Facebook's private API. On Facebook.com, their client-side code has an opportunity to strip that off before running a JSON.parse() on it.
这篇关于哪种json答案以)]}'开头的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
