2

I would like to ask what is the purpose of such a response when making XHR or when a push notification is made by a server to the browser:

for(;;);[{"syncId": 2, "changes" : [["change",{"pid":"7"},["10",{"id":"7"}]]], "state":{"5":{"childData":{"7":{"alignmentBitmask":48,"expandRatio":0}}},"7":{"caption":"This is the real UI","text":""}}, "types":{"5":"1","7":"10"}, "hierarchy":{"5":["7"],"7":[]}, "rpc" : [], "meta" : {"async":true}, "resources" : {}, "typeMappings" : { "com.vaadin.ui.AbstractField" : 11 , "com.vaadin.ui.AbstractTextField" : 12 , "com.vaadin.ui.TextArea" : 10 }, "typeInheritanceMap" : { "11" : 6 , "12" : 11 , "4" : 9 , "6" : 5 , "10" : 12 , "8" : 4 , "9" : 6 , "1" : 8 }, "timings":[185, 6]}]

I mean, I know it is a JSON (or at least, it should be), but what about the for(;;); at the beginning of the response? What is it for?

tonix
  • 5,862
  • 10
  • 61
  • 119

2 Answers2

2

I haven't seen the for(;;); construct in front before - it is JavaScript, and definitely not valid JSON.

What you're looking at could be a trick to mess with people trying to read the response from a different domain. Cross-origin restrictions in browsers mean that you can't just load resources from random domains willy-nilly. What you can do, however, is load bits of JavaScript from another domain: this is what Google Analytics does, for example.

Maybe whatever service you're getting the response from is trying to prevent busybodies from doing such requests by sticking an infinite loop in front of the response, crippling the browser of anyone that tries to request it as a script and then run the response verbatim.

However, this is all speculation; it could be something else entirely.

Edit: If the service you're getting the response from is Facebook, this answer gives a much more reasonable explanation: apparently Facebook adds it to force its developers to use a trusted JSON parser.

Community
  • 1
  • 1
Wander Nauta
  • 14,707
  • 1
  • 39
  • 59
  • Yes, it is not standard, but look at the Facebook's XHRs/push-notifications e.g. when you chat with someone for example, you will find that `for(;;);` at the beginning of several responses. The example I posted is a push response from a Vaadin application. Why that? – tonix Dec 07 '14 at 19:02
  • I edited my answer to add a link to a question discussing Facebook specifically. I don't know Vaadin, but I imagine they'd use a similar technique for similar reasons. – Wander Nauta Dec 07 '14 at 19:03
  • Thank you for the link, I read the post of the accepted answer and posts of other users, yet it isn't so clear, how this code gets actually parsed into JSON and how it can protect in real world examples against exploits? – tonix Dec 07 '14 at 19:21
  • The gist of it is that parsing JSON by running it as JavaScript (with `eval`, for example) is a bad idea, and this trick prevents that. How this blob gets turned into valid JSON depends entirely on what you're using to parse it. – Wander Nauta Dec 07 '14 at 19:25
  • So you are saying that they are using some custom JSON parser in order to parse it? – tonix Dec 07 '14 at 19:28
  • Yes. This is not JSON. A standard JSON parser will not parse it. – Wander Nauta Dec 07 '14 at 19:29
  • Ok, thank you, just the last question, in the post you linked they say that a potential attacker can't steal sensible information by eval()ating the JSON of the response because the `for(;;);` will cause an endless loop, but what if the attacker just implements a parser like the one facebook uses to parse the JSON after the for? He will then anyway become able to read the sensible data, wouldn't he? – tonix Dec 07 '14 at 19:41
  • Yes. It's not a very good security measure, just a trick to a) help developers and b) perhaps slightly annoy lazy attackers. – Wander Nauta Dec 07 '14 at 19:44
  • Sorry, `a) help developers` in which way? To force them use a pre-build custom parser? – tonix Dec 07 '14 at 19:47
1

The

for(;;);

isn't standard json. Looks like an error of response.

If you remove it your json is valid.

MQ87
  • 938
  • 12
  • 29