Ajax调用响应如'for(;;); {json data}“是什么意思? [英] What does a Ajax call response like 'for (;;); { json data }' mean?
问题描述
可能重复:
为什么人们把代码放在1之后? <不要邪恶>>和(;;);在json响应的前面?
我发现这种语法正在使用Facebook的Ajax调用。我对(.;); 的感到困惑。这是用于什么?
这是调用和响应:
GET http://0.131.channel.facebook.com/x/1476579705/51033089/false/p_1524926084=0
回应:
for(;;); {t:continue}
Facebook有大量开发人员在很多项目上从事内部工作,有人犯了一个小错误是很常见的;或者是使用 eval (有时是低效的,可以说是不安全的),或者是使用 eval JSON.parse (一个兼容而不是普遍实现的扩展),而不是一个已知的JSON解码器,重要的是找出方法来轻松实施这个开发人员的最佳做法人口。
为了面对这一挑战,Facebook最近一直在全力以赴内部项目,旨在优雅地执行这些最佳实践,并且坦率地说,唯一的解释是真正有意义的是,这个具体的情况就是这样:有人在内部决定所有的JSON解析都应该通过核心库中的一个实现,最好的方式是强制执行每个API响应来获得对于(;;); 在前面自动粘贴。
这样做,开发人员不能 azy:如果他们使用 eval(),请立即注意,想知道是什么,然后实现他们的错误并使用经过批准的JSON API
提供的其他答案似乎都属于两类:
- 误解JSONP,或
- 误解JSON劫持。
第一类依赖于这样的想法:攻击者可以以某种方式向不支持它的API发出请求使用JSONP。 JSONP是服务器和客户端都必须支持的协议:它需要服务器返回类似于 myFunction({t:continue})的一个协议。使结果传递给本地函数。您不能意外地使用JSONP。
第二类中的那些引用了一个非常真实的漏洞,该漏洞已被描述,允许跨站点请求伪造通过标签到不使用JSONP(如这一个)的API,允许一种形式的JSON劫持。这是通过更改Array / Object构造函数来实现的,它允许用户访问从服务器返回的信息,而不需要打包函数。
然而,这根本就不可能在这种情况下:它的工作原理是,一个裸阵列(许多JSON API的一个可能的结果,如着名的Gmail示例)是一个有效的表达式语句,这对于裸对象来说不是这样。
实际上,由JSON定义的对象的语法(包括字段名称周围的引号,如本示例所示)与块的语法相冲突,因此不能在脚本的顶级。
js> {t:continue}前缀技巧的
typein:2:SyntaxError:invalid label:
typein:2:{t:continue}
typein:2:...对于这个例子,通过Object()构造函数重映射可以利用这个例子,它将需要API将一个括号内的对象返回给对象,使其成为有效的JavaScript(但无效JSON)。JS> ({t:continue})
[object Object]
可能是(.;);
在本示例中只是意外出现,实际上正在返回由返回阵列的其他内部Facebook API;但在这种情况下,应该注意,因为这将是为什么在中出现在这个特定的片段中的真实的原因。 p>Possible Duplicate:
Why do people put code like “throw 1; <dont be evil>” and “for(;;);” in front of json responses?I found this kind of syntax being used on Facebook for Ajax calls. I'm confused on the
for (;;);part in the beginning of response. What is it used for?This is the call and response:
GET http://0.131.channel.facebook.com/x/1476579705/51033089/false/p_1524926084=0Response:
for (;;);{"t":"continue"}
解决方案Facebook has a ton of developers working internally on a lot of projects, and it is very common for someone to make a minor mistake; whether it be something as simple and serious as failing to escape data inserted into an HTML or SQL template or something as intricate and subtle as using
eval(sometimes inefficient and arguably insecure) orJSON.parse(a compliant but not universally implemented extension) instead of a "known good" JSON decoder, it is important to figure out ways to easily enforce best practices on this developer population.To face this challenge, Facebook has recently been going "all out" with internal projects designed to gracefully enforce these best practices, and to be honest the only explanation that truly makes sense for this specific case is just that: someone internally decided that all JSON parsing should go through a single implementation in their core library, and the best way to enforce that is for every single API response to get
for(;;);automatically tacked on the front.In so doing, a developer can't be "lazy": they will notice immediately if they use
eval(), wonder what is up, and then realize their mistake and use the approved JSON API.The other answers being provided seem to all fall into one of two categories:
- misunderstanding JSONP, or
- misunderstanding "JSON hijacking".
Those in the first category rely on the idea that an attacker can somehow make a request "using JSONP" to an API that doesn't support it. JSONP is a protocol that must be supported on both the server and the client: it requires the server to return something akin to
myFunction({"t":"continue"})such that the result is passed to a local function. You can't just "use JSONP" by accident.Those in the second category are citing a very real vulnerability that has been described allowing a cross-site request forgery via tags to APIs that do not use JSONP (such as this one), allowing a form of "JSON hijacking". This is done by changing the Array/Object constructor, which allows one to access the information being returned from the server without a wrapping function.
However, that is simply not possible in this case: the reason it works at all is that a bare array (one possible result of many JSON APIs, such as the famous Gmail example) is a valid expression statement, which is not true of a bare object.
In fact, the syntax for objects defined by JSON (which includes quotation marks around the field names, as seen in this example) conflicts with the syntax for blocks, and therefore cannot be used at the top-level of a script.
js> {"t":"continue"} typein:2: SyntaxError: invalid label: typein:2: {"t":"continue"} typein:2: ....^For this example to be exploitable by way of Object() constructor remapping, it would require the API to have instead returned the object inside of a set of parentheses, making it valid JavaScript (but then not valid JSON).
js> ({"t":"continue"}) [object Object]Now, it could be that this
for(;;);prefix trick is only "accidentally" showing up in this example, and is in fact being returned by other internal Facebook APIs that are returning arrays; but in this case that should really be noted, as that would then be the "real" cause for whyfor(;;);is appearing in this specific snippet.这篇关于Ajax调用响应如'for(;;); {json data}“是什么意思?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
