Menu
It is well known that Facebook uses javascript responses (JS,not json) which is prefixes with while(1) & for(;;); in order to prevent script tag to steal the json data when old browsers are being overloaded with their Array ctor & Object ctor.
But from a recent try , it seems that this is not the case anymore (for friends list , which i'm sure it was used)
Notice that now , the content-type is :
content-type: application/octet-stream
But why did they do it ? is it now safe ? ( I know that it's for older browsers , but still...).
I know that [..]'s ctor was problematic. But what about {..}'s ctor ?
Question:
Why did facebook remove the infinite-loop ? and how do they now mitigate against json hijacking ?
I mean , what happens now if <script> tag will try to fetch the "getFiriends "list ? ( in a very old browser)
NB
Worth to mention that there are still others responses with infinite loop for {..} !!
:
Also in here ( Object , with infinite loop)
624
JSON Hijacking is a kind of network security attack. In this attack, an attacker targets a system that has access to cross-domain-sensitive JSON data. This attack is similar to Cross-Site Request Forgery holding some differences.
JavaScript hijacking allows an attacker to bypass the Same Origin Policy in the case that a web application uses JavaScript to communicate confidential information. The loophole in the Same Origin Policy is that it allows JavaScript from any website to be included and executed in the context of any other website.
This attack (loading JSON as a <script>) is based on a few assumtions:
1) The JSON is itself valid JS (thats what the for(;;) changes), which also means that it may not start with a { as that is a block statement, which does not contain key-value pairs:
{ "a": 1 } // invalid JS, valid JSON *
[{ "a": 1 }] // valid JS, valid JSON
2) The browser is very old (< 1% of the total users), as constructing arrays with the literal does not call the Array function in newer browsers (ES5 support is a good estimation for those).
Therefore this attack isn't possible in this case, as the API you mentioned returns an object, therefore (1) is not fullfilled. And even if the API would return an array, only a very small amount of people could theoretically be hijacked:
1) The browser has to be very old, and then the browser itself is probably a bigger risk, and the browser has to even support JavaScript.
2) The client has to visit a malicious site, which is very unlikely due to spam filters / blacklists at various levels.
3) The user has to be logged in at facebook while visiting the malicious website.
Worth to mention that there are still others responses with infinite loop
I guess this is generally a thing of the past. It will take a while until all APIs got refactored / migrated. I assume adding/removing these 5 characters causes a significant overhead if you think at Facebook's scale.
*: If you try to load { a: 1 } you'll find out that it does not throw a SyntaxError! However this is neither valid JSON, nor does it create an object (it's a labelled 1 inside of a blocn statement).
120
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
