为什么人们把代码写成“throw 1;"<不作恶>>和“for(;;);"在 json 响应之前? [英] Why do people put code like "throw 1; <dont be evil>" and "for(;;);" in front of json responses?

查看:22
本文介绍了为什么人们把代码写成“throw 1;"<不作恶>>和“for(;;);"在 json 响应之前?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

可能的重复:
为什么谷歌在前面加上 while(1);到他们的 JSON 响应?

Google 像这样返回 json:

Google returns json like this:

throw 1; <dont be evil> { foo: bar}

和 Facebooks ajax 有这样的 json:

and Facebooks ajax has json like this:

for(;;); {"error":0,"errorSummary": ""}

  • 他们为什么要放置会停止的代码执行并生成无效的 json?
  • 如果无效,他们如何解析并且如果您尝试 eval 会崩溃
  • 他们是否只是将其从字符串(看起来很贵)?
  • 是否有任何安全优势这是?

    • 为了安全起见:

    如果抓取工具在另一个域上,他们将不得不使用 script 标签来获取数据,因为 XHR 无法跨域工作.即使没有 for(;;); 攻击者如何获取数据?它没有分配给变量,所以它不会因为没有对它的引用而被垃圾收集吗?

    If the scraper is on another domain they would have to use a script tag to get the data because XHR won't work cross-domain. Even without the for(;;); how would the attacker get the data? It's not assigned to a variable so wouldn't it just be garbage collected because there's no references to it?

    基本上是为了获得跨域的数据

    Basically to get the data cross domain they would have to do

    <script src="http://target.com/json.js"></script>

    但即使没有崩溃脚本,攻击者也无法使用任何 Json 数据,除非将其分配给您可以全局访问的变量(在这些情况下不是这样).崩溃代码实际上什么也没做,因为即使没有它,他们也必须使用服务器端脚本来使用他们网站上的数据.

    But even without the crash script prepended the attacker can't use any of the Json data without it being assigned to a variable that you can access globally (it isn't in these cases). The crash code effectivly does nothing because even without it they have to use server sided scripting to use the data on their site.

    推荐答案

    即使没有 for(;;); 攻击者如何获取数据?

    Even without the for(;;); how would the attacker get the data?

    攻击基于改变内置类型的行为,特别是 ObjectArray,通过改变它们的构造函数或其 prototype.然后当目标 JSON 使用 {...}[...] 构造时,它们将是攻击者自己的这些对象的版本,可能会出现意外行为.

    Attacks are based on altering the behaviour of the built-in types, in particular Object and Array, by altering their constructor function or its prototype. Then when the targeted JSON uses a {...} or [...] construct, they'll be the attacker's own versions of those objects, with potentially-unexpected behaviour.

    例如,您可以将 setter-property 破解为 Object,这将背叛写在对象文字中的值:

    For example, you can hack a setter-property into Object, that would betray the values written in object literals:

    Object.prototype.__defineSetter__('x', function(x) {
    alert('Ha! I steal '+x);
});

    然后,当

相关文章
前端开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆