Why does Facebook's XHR requests have this code?

4

I was analyzing Facebook's XHR requests for study purposes and I came across a code that I found to be curious.

Inthelinksimilartothis4-edge-chat.facebook.com/pull,ithasthefollowingcode:

for(;;);{"t":"fullReload","seq":3}

Well! As far as I know, this for(;;) causes an infinite loop (which can even crash the browser if it runs in console ).

What is the reason some of the Facebook scripts have this code? Is it to avoid external inclusion or something?

    
asked by anonymous 14.01.2015 / 12:44

1 answer

8

TL; DR

Yes, it is to avoid a very specific type of attack based on Json requests in different domains.

One type of attack

According to an article from You've Been Haacked , one of the attacks in this category can be classified as a combination between cross-site request forgery or XSRF and some loopholes in old browsers that allowed malicious scripts read all or part of the content returned from JSON requests to other domains.

XSRF is briefly when a malicious script makes requests to a remote server (Facebook, in this case) using the user's credentials to act on behalf of the user or to obtain sensitive data.

How the attack works

The idea is basically the following:

  • User authenticates with Facebook
  • The user accesses a malicious website
  • A script on the malicious website uses a <script> tag to make a GET request to the Facebook web service that returns a JSON
  • The malicious script can circumvent browser security and retrieve the data returned from the request to Facebook
  • Example implementation of the attack

    Extracted from the above site, consider the following example:

    <script type="text/javascript">
    var secrets;
    
    Array = function() {
      secrets = this;
    };
    
    
    <script src="http://haacked.com/demos/secret-info.json"type="text/javascript">
    
    <script type="text/javascript">
    
      var yourData = '';
      var i = -1;
      while(secrets[++i]) {
        yourData += secrets[i] + ' ';
      }
    
      alert('I stole your data: ' + yourData);
    </script>
    

    In some older browsers, the above code causes the secrets variable to receive the values of any new Array created after the initial snippet execution. This is a rebuild of the constructor.

    Next, the <script> tag requests the other server, and if there is a Array in the returned JSON, the data will be captured.

    Conclusion

    Even though modern browsers make it very difficult to capture data on such request types, the infinite for loop causes the malicious script to have no chance of doing anything with possible data that could be obtained in web calls services using <script> tags.

    So it's an added element in security.

        
    14.01.2015 / 19:12