Why does Google perpend while(1) to their (private JSON) responses?
Here’s an example of a Google Calendar response when you turn a calendar on or off:
while (1);
[
['u', [
['smsSentFlag', 'false'],
['hideInvitations', 'false'],
['remindOnRespondedEventsOnly', 'true'],
['hideInvitations_remindOnRespondedEventsOnly', 'false_true'],
['Calendar ID stripped for privacy', 'false'],
['smsVerifiedFlag', 'true']
]]
]
JavaScript does not recognize a valid JSON object that isn’t enclosed by any other objects.
eval('{"foo":"bar"}')
// SyntaxError: Unexpected token :
However, this is valid JSON
JSON.parse('{"foo":"bar"}')
// Object {foo: "bar"}
JSON Hijacking is a similar attack to Cross-Site Request Forgery. An attacker can gain cross-domain sensitive JSON information from applications that return sensitive data in array literals to GET queries. Below is an example of a JSON-based call that returns an array literal.
[{"id":"1001","ccnum":"4111111111111111","balance":"2345.15"},
{"id":"1002","ccnum":"5555555555554444","balance":"10345.00"},
{"id":"1003","ccnum":"5105105105105100","balance":"6250.50"}]
Step 1: Allow an authenticated user access a malicious webpage. Step 2: The malicious webpage will attempt to access sensitive data from an application the user is currently logged into. You can embed a script tag into an HTML page to accomplish this, since script tags are not subject to the same-origin policy.
<script src="http://<jsonsite>/json_server.php"></script>
Object.prototype.__defineSetter__('ccnum',function(obj){
secrets =secrets.concat(" ", obj);
});
The <script> tag is exempted form the Same Origin Policy. This is a security requirement in the web world. while(1) when added to a JSON response prevents misuse in the <script> tag.
