9

While I was debugging an error in Google Plus (while importing FB contacts from Yahoo) I've discovered strange JSON response:

)]}'

[[["er",,,,,500]
,["e",2,,,57]
],'45932b7d6d6dc08e']

Is it some variation of JSONP? Reminds me of an SQL injection rather... So, what's the purpose of the closing brackets and quote at the beginning?

aaimnr
  • 1,626
  • 1
  • 15
  • 31
  • 2
    Smells like an XSS countermeasure – Shaggy Frog Jul 07 '11 at 23:47
  • smells like someone wanted to let the world know he's on google+ ... or maybe thats teen spirit... I cant really tell – Glenn Ferrie Jul 07 '11 at 23:52
  • Whoa that is weird. It's even served with content type "application/json" and yet is completely invalid json. – Alex Wayne Jul 07 '11 at 23:56
  • 3
    @Shaggy Frog, it looks more like an XSRF countermeasure to me. The script at the top makes sure that it will not parse correctly when loaded cross-site via ` – Mike Samuel Jul 07 '11 at 23:57
  • @GlennFerrieLive I've received the answers quickly thanks to the interesting context. Also everyone may check the JSON responses by him/herself. But still, thanks for that valuable insight. – aaimnr Jul 19 '11 at 18:18

2 Answers2

10

It's basically JSON with nulls removed and the garbage added at the beginning to thwart XSRF. Here's some PHP code that will decode it (from an unofficial Google Plus API I'm working on).

https://github.com/jmstriegel/php.googleplusapi/blob/master/lib/GooglePlus/GoogleUtil.php

Jason Striegel
  • 963
  • 6
  • 9
  • 1
    Jason: I didn't get what "null" removed means. Care to elaborate? – genesis Jul 12 '11 at 23:37
  • genesis: rather than key-value pairs, the json returned by g+ contains a number of nested arrays. many of the fields in those arrays contain no value, but instead of being expressed as 'null', they are left empty. so, you'll see arrays that look like [,,,0] instead of [null,null,null,0]. javascript parsers seem to do okay with this, but it doesn't pass in php's json_decode function. i assume the folks at google chose to do this to reduce transfer size. – Jason Striegel Jul 13 '11 at 02:23
  • 1
    also, to explain the code further: you simply throw away the first 5 characters, then sift through the remaining string looking for empty fields, inserting 'null' wherever you find one. after that, it should parse fine. – Jason Striegel Jul 13 '11 at 02:29
  • yes it works already. Wow. I didn't think about it! IT's so easy. Can you answer to this question, too ?http://stackoverflow.com/questions/6672322/anti-xss-protection-by-adding-before-ajax-response – genesis Jul 13 '11 at 11:38
5

It might be an XSRF defense similar to the one described at What does a Ajax call response like 'for (;;); { json data }' mean?

Community
  • 1
  • 1
Mike Samuel
  • 109,453
  • 27
  • 204
  • 234