为什么人们把代码写成“throw 1;"<不作恶>>和“for(;;);"在 json 响应之前? [英] Why do people put code like "throw 1; <dont be evil>" and "for(;;);" in front of json responses?
问题描述
可能的重复:
为什么谷歌在前面加上 while(1);到他们的 JSON 响应?
Google 像这样返回 json:
Google returns json like this:
throw 1; <dont be evil> { foo: bar}
和 Facebooks ajax 有这样的 json:
and Facebooks ajax has json like this:
for(;;); {"error":0,"errorSummary": ""}
- 他们为什么要放置会停止的代码执行并生成无效的 json?
- 如果无效,他们如何解析并且如果您尝试 eval 会崩溃
- 他们是否只是将其从字符串(看起来很贵)?
- 是否有任何安全优势这是?
为了安全起见:
如果抓取工具在另一个域上,他们将不得不使用 script
标签来获取数据,因为 XHR 无法跨域工作.即使没有 for(;;);
攻击者如何获取数据?它没有分配给变量,所以它不会因为没有对它的引用而被垃圾收集吗?
If the scraper is on another domain they would have to use a script
tag to get the data because XHR won't work cross-domain. Even without the for(;;);
how would the attacker get the data? It's not assigned to a variable so wouldn't it just be garbage collected because there's no references to it?
基本上是为了获得跨域的数据
Basically to get the data cross domain they would have to do
<script src="http://target.com/json.js"></script>
但即使没有崩溃脚本,攻击者也无法使用任何 Json 数据,除非将其分配给您可以全局访问的变量(在这些情况下不是这样).崩溃代码实际上什么也没做,因为即使没有它,他们也必须使用服务器端脚本来使用他们网站上的数据.
But even without the crash script prepended the attacker can't use any of the Json data without it being assigned to a variable that you can access globally (it isn't in these cases). The crash code effectivly does nothing because even without it they have to use server sided scripting to use the data on their site.
推荐答案
即使没有
for(;;);
攻击者如何获取数据?
Even without the
for(;;);
how would the attacker get the data?
攻击基于改变内置类型的行为,特别是 Object
和 Array
,通过改变它们的构造函数或其 prototype代码>.然后当目标 JSON 使用
{...}
或 [...]
构造时,它们将是攻击者自己的这些对象的版本,可能会出现意外行为.
Attacks are based on altering the behaviour of the built-in types, in particular Object
and Array
, by altering their constructor function or its prototype
. Then when the targeted JSON uses a {...}
or [...]
construct, they'll be the attacker's own versions of those objects, with potentially-unexpected behaviour.
例如,您可以将 setter-property 破解为 Object
,这将背叛写在对象文字中的值:
For example, you can hack a setter-property into Object
, that would betray the values written in object literals:
Object.prototype.__defineSetter__('x', function(x) {
alert('Ha! I steal '+x);
});
然后,当 指向某个使用该属性名称的 JSON 时:
Then when a <script>
was pointed at some JSON that used that property name:
{"x": "hello"}
值 "hello"
将被泄露.
数组和对象字面量导致调用 setter 的方式是有争议的.Firefox 在 3.5 版中删除了该行为,以应对针对知名网站的公开攻击.然而,在撰写本文时,Safari (4) 和 Chrome (5) 仍然容易受到此攻击.
The way that array and object literals cause setters to be called is controversial. Firefox removed the behaviour in version 3.5, in response to publicised attacks on high-profile web sites. However at the time of writing Safari (4) and Chrome (5) are still vulnerable to this.
现在所有浏览器都不允许的另一种攻击是重新定义构造函数:
Another attack that all browsers now disallow was to redefine constructor functions:
Array= function() {
alert('I steal '+this);
};
[1, 2, 3]
目前,IE8 的属性实现(基于 ECMAScript 第五版标准和 Object.defineProperty
)目前不适用于 Object.prototype
或 Array.prototype
.
And for now, IE8's implementation of properties (based on the ECMAScript Fifth Edition standard and Object.defineProperty
) currently does not work on Object.prototype
or Array.prototype
.
但是除了保护过去的浏览器之外,JavaScript 的扩展可能会在未来导致更多类似的潜在泄漏,在这种情况下,chaff 也应该防止这些泄漏.
But as well as protecting past browsers, it may be that extensions to JavaScript cause more potential leaks of a similar kind in future, and in that case chaff should protect against those too.
这篇关于为什么人们把代码写成“throw 1;"<不作恶>>和“for(;;);"在 json 响应之前?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!