Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

"Anti-XSS protection" by adding )]}' before ajax response

Google plus returns ajax requests with )]}' on first line. I heard it is protection against XSS. Are there any examples what and how could anyone do with this without that protection ?

like image 920
genesis Avatar asked Jul 12 '11 23:07

genesis


2 Answers

Here's my best guess as to what's happening here.

First off, there are other aspects of the google json format that aren't quite valid json. So, in addition to any protection purposes, they may be using this specific string to signal that the rest of the file is in google-json format and needs to be interpreted accordingly.

Using this convention also means that the data feed wont execute from a call from a script tag, nor by interpreting the javascript directly from an eval(). This ensures front end developers are passing the content through a parser, which will keep any implanted code from executing.

So to answer your question, there are two plausible attacks that this prevents, one cross-site through a script tag, but the more interesting on is within-site. Both attacks assume that:

  1. a bug exists in how user data is escaped and
  2. it is exploited in a way that allows an attacker to inject code into one of the data feeds.

As a simple example, lets say a user figured out how to take a string like example

["example"] 

and changed it to "];alert('example');

[""];alert('example');"]

Now if when that data shows up in another user's feed, the attacker can execute arbitrary code in the user's browser. Since it's within site, cookies are being sent to the server and the attacker could automate things like sharing posts or messaging people from the user's account.

In the Google scenario, these attacks won't work for a number of reasons. The first 5 characters will cause a javascript error before the attack code is run. Plus, since developers are forced to parse the code instead of accidentally running it through an eval, this practice will prevent code from being executed anyway.

like image 141
Jason Striegel Avatar answered Oct 26 '22 08:10

Jason Striegel


As others said, it's a protection against Cross Site Script Inclusion (XSSI)

We explained this on Gruyere as:

Third, you should make sure that the script is not executable. The standard way of doing this is to append some non-executable prefix to it, like ])}while(1);. A script running in the same domain can read the contents of the response and strip out the prefix, but scripts running in other domains can't.

like image 39
methode Avatar answered Oct 26 '22 08:10

methode