Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is facebook suddenly safe against JSON hijacking?

It is well known that Facebook uses javascript responses (JS,not json) which is prefixes with while(1) & for(;;); in order to prevent script tag to steal the json data when old browsers are being overloaded with their Array ctor & Object ctor.

But from a recent try , it seems that this is not the case anymore (for friends list , which i'm sure it was used)

enter image description here

Notice that now , the content-type is :

content-type: application/octet-stream

But why did they do it ? is it now safe ? ( I know that it's for older browsers , but still...).

I know that [..]'s ctor was problematic. But what about {..}'s ctor ?

Question:

Why did facebook remove the infinite-loop ? and how do they now mitigate against json hijacking ?

I mean , what happens now if <script> tag will try to fetch the "getFiriends "list ? ( in a very old browser)

NB

Worth to mention that there are still others responses with infinite loop for {..} !! :

enter image description here

Also in here ( Object , with infinite loop)

enter image description here

like image 624
Royi Namir Avatar asked Mar 17 '19 11:03

Royi Namir


People also ask

What is JSON hijacking?

JSON Hijacking is a kind of network security attack. In this attack, an attacker targets a system that has access to cross-domain-sensitive JSON data. This attack is similar to Cross-Site Request Forgery holding some differences.

What is JavaScript hijacking vulnerable framework?

JavaScript hijacking allows an attacker to bypass the Same Origin Policy in the case that a web application uses JavaScript to communicate confidential information. The loophole in the Same Origin Policy is that it allows JavaScript from any website to be included and executed in the context of any other website.


1 Answers

This attack (loading JSON as a <script>) is based on a few assumtions:

1) The JSON is itself valid JS (thats what the for(;;) changes), which also means that it may not start with a { as that is a block statement, which does not contain key-value pairs:

 { "a": 1 } // invalid JS, valid JSON *
 [{ "a": 1 }] // valid JS, valid JSON

2) The browser is very old (< 1% of the total users), as constructing arrays with the literal does not call the Array function in newer browsers (ES5 support is a good estimation for those).

Therefore this attack isn't possible in this case, as the API you mentioned returns an object, therefore (1) is not fullfilled. And even if the API would return an array, only a very small amount of people could theoretically be hijacked:

1) The browser has to be very old, and then the browser itself is probably a bigger risk, and the browser has to even support JavaScript.

2) The client has to visit a malicious site, which is very unlikely due to spam filters / blacklists at various levels.

3) The user has to be logged in at facebook while visiting the malicious website.

Worth to mention that there are still others responses with infinite loop

I guess this is generally a thing of the past. It will take a while until all APIs got refactored / migrated. I assume adding/removing these 5 characters causes a significant overhead if you think at Facebook's scale.


*: If you try to load { a: 1 } you'll find out that it does not throw a SyntaxError! However this is neither valid JSON, nor does it create an object (it's a labelled 1 inside of a blocn statement).

like image 120
Jonas Wilms Avatar answered Sep 23 '22 01:09

Jonas Wilms