{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 Ridiculous、 的问题《“Anti-XSS protection” by adding )]}' before aj》','https://www.manongdao.com/q-468439.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
Google plus returns ajax requests with )]}' on first line. I heard it is protection against XSS. Are there any examples what and how could anyone do with this without that protection ?
相关问题
- Request.PathInfo issues and XSS attacks
- XSS Attacks Prevention [closed]
- Removing the “\ufeff” from the end of object -> co
- Getting google plus shares for a given URL in PHP
- Is addslashes() safe to prevent XSS in a HTML attr
相关文章
- Creating GoogleApiClient for multiple activities
- Google Plus Login Integration Error iOS
- Unable to sign in to Google from the GooglePlusSam
- Why so much HTML input sanitization necessary?
- How do use fckEditor safely, without risk of cross
- What is the best way to filter URLs for input?
- Is Google+ API going to shut down?
- Storing a Response From a Google JavaScript API Re
As others said, it's a protection against Cross Site Script Inclusion (XSSI)
We explained this on Gruyere as:
Here's my best guess as to what's happening here.
First off, there are other aspects of the google json format that aren't quite valid json. So, in addition to any protection purposes, they may be using this specific string to signal that the rest of the file is in google-json format and needs to be interpreted accordingly.
Using this convention also means that the data feed wont execute from a call from a script tag, nor by interpreting the javascript directly from an eval(). This ensures front end developers are passing the content through a parser, which will keep any implanted code from executing.
So to answer your question, there are two plausible attacks that this prevents, one cross-site through a script tag, but the more interesting on is within-site. Both attacks assume that:
As a simple example, lets say a user figured out how to take a string like example
and changed it to "];alert('example');
Now if when that data shows up in another user's feed, the attacker can execute arbitrary code in the user's browser. Since it's within site, cookies are being sent to the server and the attacker could automate things like sharing posts or messaging people from the user's account.
In the Google scenario, these attacks won't work for a number of reasons. The first 5 characters will cause a javascript error before the attack code is run. Plus, since developers are forced to parse the code instead of accidentally running it through an eval, this practice will prevent code from being executed anyway.