什么像'一个Ajax调用响应（;;）; {JSON数据}'是什么意思？ [英] What does a Ajax call response like 'for (;;); { json data }' mean?

问题描述

  

可能重复：
  <一href="http://stackoverflow.com/questions/3146798/why-do-people-put-$c$c-like-throw-1-dont-be-evil-and-for-in-front-of">Why这样做的人把code喜欢＆ldquo;扔1; ＆LT;不要作恶＆GT;＆rdquo;的和＆ldquo;为（;;）;＆rdquo;的在JSON响应的面前？

我发现这种语法被用于在Facebook上的Ajax调用。我很困惑的为（;;）; 部分响应的开始。这是什么用的？

这是调用和响应：

  GET http://0.131.channel.facebook.com/x/1476579705/51033089/false/p_1524926084=0
 

响应：

 为（;;）{T：继续}
 

解决方案

Facebook有大量的开发者很多项目内部的工作，这是很平常的人，使一个小的失误;无论是一些简单和严重，未能逃脱插入到HTML或SQL模板或某事的复杂和微妙的使用数据评估（有时效率低下，可以说是不安全的），或 JSON.parse （一个兼容的，但不是普遍实施的扩展名），而不是一个已知良好的JSON德codeR，它想出办法来轻松地执行最好的是非常重要的实践在这个开发商的人口。

要应对这一挑战，Facebook最近已经持续全力以赴以设计为优雅地执行这些最佳实践，并说实话唯一的解释，真正有意义的这种特殊情况下，内部项目就是这样：有人在内部决定所有的JSON解析应该通过其核心库中的单个实施，强制执行，最好的办法就是为每一个API响应得到为（;;）; 自动上涨了前面。

在这样做时，开发人员不能偷懒：他们会注意到立即如果他们使用的eval（），不知道是了，然后认识到自己的错误，并使用经批准的JSON API。

所提供的其他的答案似乎都属于两类：

1. 误解JSONP，或
2. 在误解JSON劫持。

那些在第一类（不幸的是，包括公认的答案）依靠的想法，攻击者可以以某种方式使使用JSONP到不支持它的API请求。 JSONP是必须在服务器和客户端支持的协议：它需要服务器一个类似于返回 myFunction的（{T：继续}）使得该结果传递到本地函数。你不能只是使用JSONP纯属偶然。

那些在第二类的理由是被描述允许通过变量跨站请求伪造，以API的不要使用JSONP（如这一个）一个非常现实的漏洞，允许形成JSON劫持的。这是通过改变所述阵列/对象构造函数，它允许一个访问信息从服务器返回未经包装函数来完成。

不过，这是根本不可能在这种情况下：它工作在所有的原因是裸阵列（许多JSON API，如著名的Gmail例如，一个可能的结果）是一个有效的EX pression声明，这是不裸对象的真

在实际上，语法由JSON定义的对象（包括周围字段名称引号，如在本实施例中看到的）的冲突与语法块，因此不能用在脚本的顶层。

  JS＆GT; {T：继续}
typein：2：语法错误：无效的标签：
typein：2：{T：继续}
typein：2：.... ^
 

在这个例子中通过的对象（）构造函数重新映射的方式被利用，它需要的API有，而不是返回的对象一对括号内，使之成为有效的JavaScript（但不是有效的JSON）。

  JS＆GT; （{T：继续}）
[对象的对象]
 

现在，它的可以是，这个为（;;）; preFIX招只是不小心表示这件事例如，实际上是在被其他的内部实的API是在返回的数组返回;但在这种情况下应该被注意，因为这将被真实的原因为何为（;;）; 正出现在这个特定的代码段

Possible Duplicate:
Why do people put code like “throw 1; <dont be evil>” and “for(;;);” in front of json responses?

I found this kind of syntax being used on Facebook for Ajax calls. I'm confused on the for (;;); part in the beginning of response. What is it used for?

This is the call and response:

GET http://0.131.channel.facebook.com/x/1476579705/51033089/false/p_1524926084=0

Response:

for (;;);{"t":"continue"}

解决方案

Facebook has a ton of developers working internally on a lot of projects, and it is very common for someone to make a minor mistake; whether it be something as simple and serious as failing to escape data inserted into an HTML or SQL template or something as intricate and subtle as using eval (sometimes inefficient and arguably insecure) or JSON.parse (a compliant but not universally implemented extension) instead of a "known good" JSON decoder, it is important to figure out ways to easily enforce best practices on this developer population.

To face this challenge, Facebook has recently been going "all out" with internal projects designed to gracefully enforce these best practices, and to be honest the only explanation that truly makes sense for this specific case is just that: someone internally decided that all JSON parsing should go through a single implementation in their core library, and the best way to enforce that is for every single API response to get for(;;); automatically tacked on the front.

In so doing, a developer can't be "lazy": they will notice immediately if they use eval(), wonder what is up, and then realize their mistake and use the approved JSON API.

The other answers being provided seem to all fall into one of two categories:

1. misunderstanding JSONP, or
2. misunderstanding "JSON hijacking".

Those in the first category (which unfortunately includes the accepted answer) rely on the idea that an attacker can somehow make a request "using JSONP" to an API that doesn't support it. JSONP is a protocol that must be supported on both the server and the client: it requires the server to return something akin to myFunction({"t":"continue"}) such that the result is passed to a local function. You can't just "use JSONP" by accident.

Those in the second category are citing a very real vulnerability that has been described allowing a cross-site request forgery via tags to APIs that do not use JSONP (such as this one), allowing a form of "JSON hijacking". This is done by changing the Array/Object constructor, which allows one to access the information being returned from the server without a wrapping function.

However, that is simply not possible in this case: the reason it works at all is that a bare array (one possible result of many JSON APIs, such as the famous Gmail example) is a valid expression statement, which is not true of a bare object.

In fact, the syntax for objects defined by JSON (which includes quotation marks around the field names, as seen in this example) conflicts with the syntax for blocks, and therefore cannot be used at the top-level of a script.

js> {"t":"continue"}
typein:2: SyntaxError: invalid label:
typein:2: {"t":"continue"}
typein:2: ....^

For this example to be exploitable by way of Object() constructor remapping, it would require the API to have instead returned the object inside of a set of parentheses, making it valid JavaScript (but then not valid JSON).

js> ({"t":"continue"})
[object Object]

Now, it could be that this for(;;); prefix trick is only "accidentally" showing up in this example, and is in fact being returned by other internal Facebook APIs that are returning arrays; but in this case that should really be noted, as that would then be the "real" cause for why for(;;); is appearing in this specific snippet.

这篇关于什么像'一个Ajax调用响应（;;）; {JSON数据}'是什么意思？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！