Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Difference between ")]}',\n" and "{} &&" in avoiding json hijacking

Tags:

json

javascript

security

angularjs

In reading about how to avoid json hijacking I've come across various methods including POSTing everything or prepending responses so they are not valid JavaScript.

The most common way to prepend seems to be to add {} && in front of your object or array. Angular suggests prepending with )]}',\n.

Why does angular not use the more standard {} && approach? Is one not totally secure? Is one more difficult to use in JavaScript? Angular aside, is there a good reason for taking the less popular approach?

like image 417
Planky Avatar asked Feb 24 '14 21:02

Planky

People also ask

What is the difference between \N and r?

\n is specifically used to move to a new line, while \r is used for a carriage return, which moves the cursor back to the beginning of the current line. In some cases it's standard to have \r\n such as in telnet applications, which often acts the same as \n.

What does \r and \n mean?

\n means new line. It means that the cursor must go to the next line. \r means carriage return. It means that the cursor should go back to the beginning of the line.

What is the difference between \n and \r in Java?

\n is a line feed (LF) character, character code 10. \r is a carriage return (CR) character, character code 13. What they do differs from system to system. On Windows, for instance, lines in text files are terminated using CR followed immediately by LF (e.g., CRLF).

What is difference between \n and \r in Python?

"\n" is the class Unix/linux style for new line. "\r\n" is the default Windows style for line separator. "\r" is classic Mac style for line separator.

1 Answers

Anything that stops the JSON response being parsed as a JavaScript object or array will prevent this method of JSON Hijacking.

See this post for some methods of making your JSON secure.

However, as this answer states, it is not really an issue since Firefox 3.

Google uses an "unparseable [cruft]" to defend its self against this type of attack. It should be noted that this vulnerability has been fixed in firefox 3, and this vulnerability arises from how browsers impalement the json specification.

At the time of writing Google appear to prepend )]}' to their responses from Gmail.

like image 92
SilverlightFox Avatar answered Oct 08 '22 19:10

SilverlightFox
Sign in to Comment

Related questions

How to create custom Scrollbars using Bootstrap?
Javascript performance hit for returning a function from a self-executing function?
QWebView HTML5 GeoLocation on Android platform
Apply Touch Swipe on single page ,the page that is used for loading data dynamically?
How do you change the value of a local variable using Chrome's dev tools?
javascript (nodejs) while loop bug
How can you make CSS on-hover content stay in place when you click or stop hovering using Javascript?
MobileSafari won't send back Cookies set with CORS
Raphael: Gradual animation slowdown with simple infinite animation
Get the closest value for combinations of an array (JS)
AMD Module Shaping: How to load only one JS function?
How to detect collisions between fast moving objects
Need a fixed positioned div inside an absolute positioned div
Does window.scrollTo work asynchronously in Safari?
forcing local storage events to fire in the same window
disable textarea by height not characters
How to get the coordinates for the selected text in UIWebView?
How to highlight javascript variables in Visual Studio 2012
OfflineAudioContext FFT analysis with chrome
Obscure nested "with" statements

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!