Why does Facebook’s XHR request have that code?

Asked

Viewed 158 times

4

I was analyzing the XHR requests from Facebook for study purposes and came across a code that I found curious to say the least.

inserir a descrição da imagem aqui

On the link similar to this 4-edge-chat.facebook.com/pull, has the following code:

for (;;); {"t":"fullReload","seq":3}

Well done! As far as I know, this one for(;;) causes an infinite loop (which can even lock the browser if it runs on console).

What is the reason some of the Facebook scripts have this code? It would be to avoid external inclusion or something like?

javascript facebook loop
  • 1

    Just to link here the same question in Soen; http://stackoverflow.com/q/2669690/91403 (as it may be used as a complement the answer already accepted)

  • 1

    Very useful, @renatoargh

1 answer

8


TL;DR

Yes, it is to avoid a very specific type of attack based on Json requests on different domains.

A type of attack

According to an article from You’ve Been Haacked, one of the attacks in this category can be classified as a combination of cross-site request forgery or XSRF and some loopholes in older browsers that allowed malicious scripts to read all or part of the content returned from JSON requests to other domains.

XSRF briefly is when a malicious script requests to a remote server (Facebook in this case) using the user’s credentials to act on the user’s behalf or obtain sensitive data.

How the attack works

The idea is basically the following:

  1. The user authenticates to Facebook
  2. User accesses a malicious website
  3. A script on the malicious site uses a tag <script> to make a request GET to the Facebook web service that returns a JSON
  4. Malicious script can bypass browser security and get back data from Facebook request

Example of implementation of the attack

Taken from the site cited above, consider the following example:

<script type="text/javascript">
var secrets;

Array = function() {
  secrets = this;
};


<script src="http://haacked.com/demos/secret-info.json" 
  type="text/javascript">

<script type="text/javascript">

  var yourData = '';
  var i = -1;
  while(secrets[++i]) {
    yourData += secrets[i] + ' ';
  }

  alert('I stole your data: ' + yourData);
</script>

In some older browsers, the above code makes the variable secrets receive the values of any new Array created after the execution of the initial section. It is a redeclaration of the constructor.

Then the tag <script> makes the request to the other server and, if there is a Array in the returned JSON, the data will be captured.

Completion

Even though modern browsers make it very difficult to capture data on such request types, the infinite loop for makes the malicious script have no chance of doing anything with possible data that could be obtained in web services calls using tags <script>.

So it’s one more element in security.

  • Very well explained! Thank you very much for your dedication

  • 1

    The Facebook people were very smart in this implementation. The curious thing is to think about how they should treat this code in order for it to be valid internally :)

  • 1

    @Wallacemaxters To work just need the manual work to do substring whenever you do the parse of that data.

  • rsrsrsrs, I had just shown such a solution to a colleague of mine. Thank you very much for the reply!

  • Would it then be a good practice to insert at the beginning of each JSON returned the infinite loop? It is that I have an application made in angular that makes requests to the server that in turn returns the answer in JSON. On the server side I check if the client is logged in, but if the user is infected with some malicious code, requests can be made automatically under "name" of the logged in user. Right?

Browser other questions tagged javascript facebook loop

You are not signed in. Login or sign up in order to post.