Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

"Anti-XSS protection" by adding )]}' before ajax response

Tags:

xss

google-plus

Google plus returns ajax requests with )]}' on first line. I heard it is protection against XSS. Are there any examples what and how could anyone do with this without that protection ?

like image 920
genesis Avatar asked Jul 12 '11 23:07

genesis

2 Answers

Here's my best guess as to what's happening here.

First off, there are other aspects of the google json format that aren't quite valid json. So, in addition to any protection purposes, they may be using this specific string to signal that the rest of the file is in google-json format and needs to be interpreted accordingly.

Using this convention also means that the data feed wont execute from a call from a script tag, nor by interpreting the javascript directly from an eval(). This ensures front end developers are passing the content through a parser, which will keep any implanted code from executing.

So to answer your question, there are two plausible attacks that this prevents, one cross-site through a script tag, but the more interesting on is within-site. Both attacks assume that:

  1. a bug exists in how user data is escaped and
  2. it is exploited in a way that allows an attacker to inject code into one of the data feeds.

As a simple example, lets say a user figured out how to take a string like example

["example"]

and changed it to "];alert('example'); 

[""];alert('example');"]

Now if when that data shows up in another user's feed, the attacker can execute arbitrary code in the user's browser. Since it's within site, cookies are being sent to the server and the attacker could automate things like sharing posts or messaging people from the user's account.

In the Google scenario, these attacks won't work for a number of reasons. The first 5 characters will cause a javascript error before the attack code is run. Plus, since developers are forced to parse the code instead of accidentally running it through an eval, this practice will prevent code from being executed anyway.

like image 141
Jason Striegel Avatar answered Oct 26 '22 08:10

Jason Striegel

As others said, it's a protection against Cross Site Script Inclusion (XSSI)

We explained this on Gruyere as:

Third, you should make sure that the script is not executable. The standard way of doing this is to append some non-executable prefix to it, like ])}while(1);. A script running in the same domain can read the contents of the response and strip out the prefix, but scripts running in other domains can't.

like image 39
methode Avatar answered Oct 26 '22 08:10

methode
Sign in to Comment

Related questions

Getting Google+ business page ID based on vanity URL
Creating GoogleApiClient for multiple activities
Strange JSON response in Google Plus
Google+ Login: How to logout - using (gapi.auth.signOut)
Google plus-one button on a page that is refreshed with AJAX
Implementing google+ sign in button to localhost with google API
placement of facebook like and google + buttons inline?
How to check whether Google User's image is default or uploaded?
Is it possible to support both Facebook Login and Google Plus login in the same iOS app?
Google + Partner Insert activity
Google Plus and OpenSocial
gapi.auth.signOut() stopped working without changes implemented
Error code 403 in Google+ api
Google Plus +1 an Google Play application?
window.googleapis is undefined
"code" : 403, and "reason" : "forbidden" exception at uploading file in google plus
how to post on google plus pages through api?
How to achieve google plus login functionality on own button in Android
Google+ Sign-In with JavaScript callback issue

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!