Wherefore does Google prepend while(1); to their (backstage) JSON responses?
For illustration, present's a consequence piece turning a calendar connected and disconnected successful Google Calendar:
while (1);[ ['u', [ ['smsSentFlag', 'false'], ['hideInvitations', 'false'], ['remindOnRespondedEventsOnly', 'true'], ['hideInvitations_remindOnRespondedEventsOnly', 'false_true'], ['Calendar ID stripped for privacy', 'false'], ['smsVerifiedFlag', 'true'] ]]]I would presume this is to forestall group from doing an eval() connected it, however each you'd truly person to bash is regenerate the while and past you'd beryllium fit. I would presume the eval prevention is to brand certain group compose harmless JSON parsing codification.
I've seen this utilized successful a mates of another locations, excessively, however a batch much truthful with Google (Message, Calendar, Contacts, and so forth.) Surprisingly adequate, Google Docs begins with &&&START&&& alternatively, and Google Contacts appears to commencement with while(1); &&&START&&&.
What's going connected present?
It prevents JSON hijacking, a great JSON safety content that is formally mounted successful each great browsers since 2011 with ECMAScript 5.
Contrived illustration: opportunity Google has a URL similar mail.google.com/json?action=inbox which returns the archetypal 50 messages of your inbox successful JSON format. Evil web sites connected another domains tin't brand AJAX requests to acquire this information owed to the aforesaid-root argumentation, however they tin see the URL through a <script> tag. The URL is visited with your cookies, and by overriding the planetary array constructor oregon accessor strategies they tin person a methodology known as each time an entity (array oregon hash) property is fit, permitting them to publication the JSON contented.
The while(1); oregon &&&BLAH&&& prevents this: an AJAX petition astatine mail.google.com volition person afloat entree to the matter contented, and tin part it distant. However a <script> tag insertion blindly executes the JavaScript with out immoderate processing, ensuing successful both an infinite loop oregon a syntax mistake.
This does not code the content of transverse-tract petition forgery.
It prevents disclosure of the consequence done JSON hijacking.
Successful explanation, the contented of HTTP responses is protected by the Aforesaid Root Argumentation: pages from 1 area can't acquire immoderate items of accusation from pages connected the another area (except explicitly allowed).
An attacker tin petition pages connected another domains connected your behalf, e.g. by utilizing a <script src=...> oregon <img> tag, however it tin't acquire immoderate accusation astir the consequence (headers, contents).
Frankincense, if you sojourn an attacker's leaf, it couldn't publication your e-mail from gmail.com.
But that once utilizing a book tag to petition JSON contented, the JSON is executed arsenic JavaScript successful an attacker's managed situation. If the attacker tin regenerate the Array oregon Entity constructor oregon any another methodology utilized throughout entity operation, thing successful the JSON would walk done the attacker's codification, and beryllium disclosed.
Line that this occurs once the JSON is executed arsenic JavaScript, not once it's parsed.
Location are aggregate countermeasures:
Making certain the JSON ne\'er executes
By inserting a while(1); message earlier the JSON information, Google ensures that the JSON information is ne\'er executed arsenic JavaScript.
Lone a morganatic leaf may really acquire the entire contented, part the while(1);, and parse the the rest arsenic JSON.
Issues similar for(;;); person been seen connected Fb for case, with the aforesaid outcomes.
Making certain the JSON is not legitimate JavaScript
Likewise, including invalid tokens earlier the JSON, similar &&&START&&&, makes certain that it is ne\'er executed.
Ever instrument JSON with an Entity connected the extracurricular
This is OWASP really useful manner to defend from JSON hijacking and is the little intrusive 1.
Likewise to the former antagonistic-measures, it makes certain that the JSON is ne\'er executed arsenic JavaScript.
A legitimate JSON entity, once not enclosed by thing, is not legitimate successful JavaScript, since the { } will get interpreted arsenic a codification artifact:
eval('{"foo":"bar"}')// SyntaxError: Unexpected token :This is nevertheless legitimate JSON:
JSON.parse('{"foo":"bar"}')// Object {foo: "bar"}Truthful, brand certain you ever instrument an Entity astatine the apical flat of the consequence and brand certain that the JSON is not legitimate JavaScript, piece inactive being legitimate JSON.
Arsenic famous by @hvd successful the feedback, the bare entity {} is legitimate JavaScript, and understanding the entity is bare whitethorn itself beryllium invaluable accusation.
Examination of the supra strategies
The OWASP manner is little intrusive, arsenic it wants nary case room adjustments, and transfers legitimate JSON. It is not sure whether or not ancient oregon early browser bugs may conclusion this, nevertheless. Arsenic famous by @oriadam, it is unclear whether or not information may beryllium leaked successful a parse mistake done an mistake dealing with oregon not (e.g. framework.onerror).
Google's manner requires a case room successful command for it to activity automated de-serialization and tin beryllium thought-about to beryllium safer with respect to browser bugs.
Some strategies necessitate server-broadside adjustments successful command to debar builders unintentionally sending susceptible JSON.
Once dealing with JSON responses from Google's providers, builders frequently brush an different prefix: )]}'. This seemingly random drawstring precedes the existent JSON information. Knowing wherefore Google prepends this prefix is important for making certain the safety and integrity of internet functions that devour these APIs. This pattern, piece initially puzzling, serves an crucial function successful mitigating possible safety vulnerabilities. The beingness of )]}' guards in opposition to definite varieties of assaults that may compromise your exertion's information. This article delves into the causes down this behaviour and however to grip it decently.
The Rationale Down Google's JSON Prefix
Google prepends )]}' adopted by a newline quality to its JSON responses arsenic a safety measurement to forestall JSON hijacking. JSON hijacking is a kind of transverse-tract book inclusion (XSSI) onslaught. Successful older browsers, it was imaginable for a malicious web site to see a JSON API endpoint arsenic a