Is facebook suddenly safe against JSON hijacking?

2020-03-20 03:04发布

问题:

It is well known that Facebook uses javascript responses (JS,not json) which is prefixes with while(1) & for(;;); in order to prevent script tag to steal the json data when old browsers are being overloaded with their Array ctor & Object ctor.

But from a recent try , it seems that this is not the case anymore (for friends list , which i'm sure it was used)

Notice that now , the content-type is :

content-type: application/octet-stream

But why did they do it ? is it now safe ? ( I know that it's for older browsers , but still...).

I know that [..]'s ctor was problematic. But what about {..}'s ctor ?

Question:

Why did facebook remove the infinite-loop ? and how do they now mitigate against json hijacking ?

I mean , what happens now if <script> tag will try to fetch the "getFiriends "list ? ( in a very old browser)

NB

Worth to mention that there are still others responses with infinite loop for {..} !! :

Also in here ( Object , with infinite loop)

回答1:

This attack (loading JSON as a <script>) is based on a few assumtions:

1) The JSON is itself valid JS (thats what the for(;;) changes), which also means that it may not start with a { as that is a block statement, which does not contain key-value pairs:

 { "a": 1 } // invalid JS, valid JSON *
 [{ "a": 1 }] // valid JS, valid JSON

2) The browser is very old (< 1% of the total users), as constructing arrays with the literal does not call the Array function in newer browsers (ES5 support is a good estimation for those).

Therefore this attack isn't possible in this case, as the API you mentioned returns an object, therefore (1) is not fullfilled. And even if the API would return an array, only a very small amount of people could theoretically be hijacked:

1) The browser has to be very old, and then the browser itself is probably a bigger risk, and the browser has to even support JavaScript.

2) The client has to visit a malicious site, which is very unlikely due to spam filters / blacklists at various levels.

3) The user has to be logged in at facebook while visiting the malicious website.

Worth to mention that there are still others responses with infinite loop

I guess this is generally a thing of the past. It will take a while until all APIs got refactored / migrated. I assume adding/removing these 5 characters causes a significant overhead if you think at Facebook's scale.


*: If you try to load { a: 1 } you'll find out that it does not throw a SyntaxError! However this is neither valid JSON, nor does it create an object (it's a labelled 1 inside of a blocn statement).