'for (;;); 之类的 Ajax 调用响应是什么?{json 数据}'是什么意思? [英] What does a Ajax call response like 'for (;;); { json data }' mean?
问题描述
可能的重复:
为什么人们把代码写成throw 1;"<不作恶>”和for(;;);"在 json 响应之前?
我发现这种语法在 Facebook 上用于 Ajax 调用.我对响应开头的 for (;;);
部分感到困惑.有什么用?
I found this kind of syntax being used on Facebook for Ajax calls. I'm confused on the for (;;);
part in the beginning of response. What is it used for?
这是调用和响应:
GET http://0.131.channel.facebook.com/x/1476579705/51033089/false/p_1524926084=0
回复:
for (;;);{"t":"continue"}
推荐答案
我来晚了,T.J.基本上解决了这个谜团,但我想我会分享一篇关于这个特定主题的精彩论文,其中有很好的例子,并提供了对这种机制的更深入的了解.
I'm a bit late and T.J. has basically solved the mystery, but I thought I'd share a great paper on this particular topic that has good examples and provides deeper insight into this mechanism.
这些无限循环是针对Javascript 劫持"的一种对策,这种攻击通过 Jeremiah Grossman.
These infinite loops are a countermeasure against "Javascript hijacking", a type of attack that gained public attention with an attack on Gmail that was published by Jeremiah Grossman.
这个想法既简单又漂亮:许多用户倾向于永久登录 Gmail 或 Facebook.因此,您要做的是建立一个站点,然后在恶意站点的 Javascript 中覆盖对象或数组构造函数:
The idea is as simple as beautiful: A lot of users tend to be logged in permanently in Gmail or Facebook. So what you do is you set up a site and in your malicious site's Javascript you override the object or array constructor:
function Object() {
//Make an Ajax request to your malicious site exposing the object data
}
然后您在该站点中包含一个 标记,例如
then you include a <script>
tag in that site such as
<script src="http://www.example.com/object.json"></script>
最后,您可以在恶意服务器的日志中阅读有关 JSON 对象的所有信息.
And finally you can read all about the JSON objects in your malicious server's logs.
正如承诺的那样,链接到论文.
As promised, the link to the paper.
这篇关于'for (;;); 之类的 Ajax 调用响应是什么?{json 数据}'是什么意思?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!