What kind of json answer starts with )]}' What kind of json answer starts with )]}' ajax ajax

What kind of json answer starts with )]}'


ajax google-plus-one

Using invalid JSON at the beginning of a message is one way to defeat a combination of CSRF and a tricky attack on JavaScript's array constructor.

If that URL returned a valid, unwrapped array, then any site you visited could overload the Array function, place/inject a script reference to that Google+ URL on the page, and harvest your private/secure data when you simply loaded their page.

Google's own client-side code can strip that invalid JSON out before parsing it, because it's using a traditional XHR request which gives them access to the raw response. A remote site can only access it via script element injection and has no chance to pre-process the data before the browser parses it. The latter is similar to how JSONP works, with the Array constructor unwittingly becoming the callback function.

You'll see a similar approach on many high profile sites that return JSON arrays in response to GET requests. Facebook pads theirs with for (;;);, for example. If you try to use the CSRF attack on those Facebook APIs, the browser just enters an infinite loop on the remote site making reference to Facebook's private API. On Facebook.com, their client-side code has an opportunity to strip that off before running a JSON.parse() on it.

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last