javascript ajax post json – Why does Google prepend while(1); to their JSON responses?

Why does Google perpend while(1) to their (private JSON) responses?

Here’s an example of a Google Calendar response when you turn a calendar on or off:

while (1);
[
  ['u', [
    ['smsSentFlag', 'false'],
    ['hideInvitations', 'false'],
    ['remindOnRespondedEventsOnly', 'true'],
    ['hideInvitations_remindOnRespondedEventsOnly', 'false_true'],
    ['Calendar ID stripped for privacy', 'false'],
    ['smsVerifiedFlag', 'true']
  ]]
]

JavaScript does not recognize a valid JSON object that isn’t enclosed by any other objects.

eval('{"foo":"bar"}')
// SyntaxError: Unexpected token :

However, this is valid JSON

JSON.parse('{"foo":"bar"}')
// Object {foo: "bar"}

JSON Hijacking is a similar attack to Cross-Site Request Forgery. An attacker can gain cross-domain sensitive JSON information from applications that return sensitive data in array literals to GET queries. Below is an example of a JSON-based call that returns an array literal.

[{"id":"1001","ccnum":"4111111111111111","balance":"2345.15"}, 
{"id":"1002","ccnum":"5555555555554444","balance":"10345.00"}, 
{"id":"1003","ccnum":"5105105105105100","balance":"6250.50"}]

Step 1: Allow an authenticated user access a malicious webpage. Step 2: The malicious webpage will attempt to access sensitive data from an application the user is currently logged into. You can embed a script tag into an HTML page to accomplish this, since script tags are not subject to the same-origin policy.

<script src="http://<jsonsite>/json_server.php"></script>
Object.prototype.__defineSetter__('ccnum',function(obj){

secrets =secrets.concat(" ", obj);

});

The <script> tag is exempted form the Same Origin Policy. This is a security requirement in the web world. while(1) when added to a JSON response prevents misuse in the <script> tag.

Exit mobile version