tags:

views:

32

answers:

1
+2  Q: 

What is the point to put deadlock code ahead of JSON in HTTP response?

When sniffing Gmail and Facebook traffic, I found there are leading deadlock code before JSON response of XmlHttpRequest.

For example

for (;;);{"t":"continue"}

and

while(1); [["v","nW3OxUDq0kU.en.","8","51bec53f21305d9c"],["di",86]]

What is the purpose of this "for(;;);" and "while(1);" deadlock?

+2  A: 

It's to prevent people from remotely getting to that data from a remote domain by creating a <script> to request it. Of course it has no effect on an XMLHttpRequest because with it you can just skip the infinite loop.

Matti Virkkunen  2010-04-02 08:23:30
Can you make a example of harm without this deadlock?
Morgan Cheng  2010-04-02 08:28:37
Without the loop, people might be able to get their hands on private data. Of course, if the content is just a JS object, you shouldn't be able to access it with a <script> element at all (no function call involved), so I guess it's there just for extra safety.
Matti Virkkunen  2010-04-02 08:36:30
@Morgan: See http://haacked.com/archive/2009/06/25/json-hijacking.aspx and http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx.
Matthew Crumley  2010-04-02 15:19:28
@Matthew, thanks.
Morgan Cheng  2010-04-02 23:43:13

related questions

Retrieving HTTP status code from loaded iframe with Javascript
How to specify an authenticated proxy for a python http connection?
Why does HttpCacheability.Private suppress ETags?
How to respond to an alternate URI in a RESTful web service
Is there a reason to use BufferedReader over InputStreamReader when reading all characters?
What would be a good, windows and iis (http) based distributed version control system
Database query representation impersonating file on Windows share?
How do I use NTLM authentication with Active Directory
Process raw HTTP request content
How would you implement FORM based authentication without a backing database?
Reading "chunked" response with HttpWebResponse
Best way to let users download a file from my website: http or ftp
How do I convert a date to a HTTP-formatted date in .Net / C#
What is the best way to upload a file via an HTTP POST with a web form?
How do I stop IIS7 dropping my cookies?
Checking FTP status codes with a PHP script.
HTTP Libraries for Emacs
Accessing post variables using Java Servlets
HTTP: Generating ETag Header
HTTP: How to know when to send a 304 Not Modified response
How do I best detect an ASP.NET expired session?
How can I make the browser see CSS and Javascript changes?
How to curl or wget a web page?
The Definitive Guide To Website Authentication
Implementation of "Remember me" in a Rails application.