61 comments

[ 3.2 ms ] story [ 111 ms ] thread
> closed

Good 'ol stackoverflow

Really, the knee-jerk response to every single closed question on SO isn't terribly useful.

First off, you can still read the question and vote on answers. Since there are already several answers, adding another one would not be very useful anyhow.

Moreover, it's closed as a duplicate. There's an essentially identical question--with essentially the same answer--that's quite a bit older. It makes sense to point people to it so that there's one centralized resource on the topic.

As a duplicate of What??? That's always been my question. I've found it beyond dumb that they don't put the thing they want you to go to at that message. And, they should make it look like a link. Just my $0.02.
There's a link at the top of the question, in a gray box.

However, I certainly see how it would be useful to have the link in the closed message as well.

The thing that says, "Possible duplicate?" Once they confirm it they should change the wording to say "Duplicate" if that's the one they mean. It just looks like it's unfinished this way.
Wikipedia has shown us what ridiculous bureaucracy does to a community; it's sad that Stackoverflow has been turned into a utterly useless site despite the lessons that could have been learned from Wikipedia.
It's the Iron Law of Bureaucracy, coined in that form by Jerry Pournelle. http://www.jerrypournelle.com/reports/jerryp/iron.html

Every organization becomes controlled by those who serve the organization itself, as opposed to those who perform the actual goal or service of the organization. Schools are controlled by administrators, not the teachers. Wikipedia and other community-sourced internet sites are run by those who desired to acquire power over Wikipedia, not by those who desire to contribute content.

Stackoverflow has been turned into a utterly useless site

It has? It's news to me; I'm constantly finding relevant, useful information whenever I search for almost anything in the area of software development.

If you look at the gmail ajax calls, you'll also see they sometimes put a number in front of their data. Example:

3

[1, 2, 3, 0]

If you execute that in your JS console, it'll return undefined, which threw me for a loop a couple days ago when I saw it. I ended up having it ask on StackOverflow too and it's because JavaScript will interpret it as a property look up on that number object (it will evaluate to 3[0], which evaluates to undefined).

Something comma operator something.
That such hacks are used as security measures makes me think that we've heard far from the last JavaScript exploit.

Now I find that workaround sweet: but it's still a total kludge and that such kludges are used just shows how poorly security has been conceived from the ground up in browsers / JavaScript.

Note that this bug doesn't affect modern browsers AFAIK (just tested on Chrome). Firefox fixed this bug back in 2007 for instance.
I agree... I mean look at JSONP, that's basically the inverse hack. After all: what's the point of enforcing same-origin-policy in AJAX but ignoring it for <script>?
The actual reason for this is web advertising took off like wildfire, using 3rd party scripts. It was too late to reverse by the time people got concerned about the security model.

Content Security Policy makes all this much more robust in modern browsers.

JSONP lets the server turn off the same-origin policy. If XRFing your data is dangerous, don't use JSONP. But often we don't care about XRF, and the person writing the server is well-placed to know.
This works because the browser will run any third-party script, but it won't expose the raw string constituting the script.

So a malicious website can't steal that content by putting the URL in a script. It will never get to see what's in the script and only a same-domain script could parse the whole contents, by making a XHR call, and strip out the "while 1;" part. In contrast, a regular JSONP string is specifically designed for the third party to read it (by including code to call a callback function).

A lot of people still don't realise you shouldn't be serving private data as JSONP. Thankfully, CORS lets modern browsers go cross-browser safely, even with private data if things are configured right.

"Thankfully, CORS lets modern browsers go cross-browser safely, even with private data if things are configured right."

Would you clarify or add some pointers to where we can learn about CORS benefits for private data? CSRF is a huge but often underestimated issue.

There is not CORS benefits for private data if your CORS endpoint have a cookie based authentication.
Actually as yoghur points out, CORS doesn't protect against CSRF. A token must be passed for any privileged calls.

That said, a benefit of CORS is the ability to do non-GET methods. So it's safer in the sense of HTTP idempotence, ie you can change server state safely, using POSTs, DELETEs, and so on. You'd still need to pass a token, however.

(Of course I meant cross-domain, not cross-browser :).

> Thankfully, CORS lets modern browsers go cross-browser

> safely, even with private data if things are configured right.

CORS does nothing to prevent CSRF attacks, see[1]. We still need to protect against CSRF.

[1]http://www.w3.org/TR/cors/#security

You don't append in front, you prepend
Why does Google append their JSON responses to while(1); ?
That carries the implication "why not simply return 'while(1)'?".
I'm a bit perplex why you've chosen to pedantize this particular word choice since "prepend" itself is a portmanteau derived by mashing "pre" and "append" together.

Perhaps the trio of "affix", "prefix" and "suffix" might be more useful, since there is no "postpend" or "suppend" to accompany "append" and "prepend".

Regardless, the Google ngram chart of these various words is pretty interesting: http://books.google.com/ngrams/graph?content=prepend%2Cappen...

I had no idea 'prepend' was used so infrequently.
and what do you see as the difference between appending in front and prepending?
Nothing, if you're prepared to say you can pop something onto a stack and push it off.
what about a deque? the push-pop/shift-unshift distinction is unnecessarily confusing when something doesn't have stack semantics.
Wait.. so any JSON API that doesn't do this is technically vulnerable to CSRF? Mind blown.
This method only works for HTTP GETs, and can't get around requirements to present CSRF tokens with the request. This is one of several possible strategies for guarding against CSRF.
Wouldn't also using a custom HTTP header instead of cookies for passing a session identifier prevent this attack? A script tag can not set headers, right?
Correct me if I'm wrong, but does this not merely allow an attacker to cause the browser to make requests with custom headers? That is, it does not allow the attacker to gain the CSRF token, and if the CSRF token is not known to the attacker, he would still not be able to make API requests.
(comment deleted)
Not CSRF. XSSI. It's actually completely different
No. Unblow your mind. Any service which returns sensitive data in JSON via an HTTP get based on the user's cookie is vulnerable. At worst, an attacker would just be able collect the response of a GET on behalf of a visitor to the attacker's site if the user is on a really old browser.
(comment deleted)
Actually this prevents XSSI (cross-site script inclusion) not XSRF (cross-site request forgery).

XSRF vulnerabilities allow an attacker to issue web requests on a user's behalf; oftentimes though people only call it a vulnerability when you can issue a request that changes some state. And XSRF is usually prevented by including a hard to guess token with the request that is tied to the user and allows you to determine whether the request was generated by an authorized party. Please don't try to prevent XSRF by using while(1) :)

This doesn't protect again using an <img> tag to accomplish the same thing correct? Assume a malicious user wanted to delete something and the URI was formatted like: http://mydomain.com/delete/some-id-here. Then assuming the user is logged in, a simple <img src="http://www.mydomain.com/delete/some-id-here /> on a third party site would execute the request successfully correct?
Yes. This is why you never perform any actions which change something over GET. Use POST (or PUT or DELETE) for them.
This is one of the reasons why you never perform any actions which change something over GET. The main reason is so your site doesn't get deleted when the Googlebot visits. (Or more generally, so that web crawlers and other robots don't accidentally mutate the site.)

Using POST is not sufficient; you also need to include an XSRF token that only the requesting page knows. It's very possible to send a POST to a third-party site with about one line of Javascript. (In the relatively early days of Reddit, I wrote a page that upvoted itself by having a JS handler in an invisible iframe resubmit the same link over again, using the visitor's login credentials. At the time, submitting the same link twice on Reddit counted as an upvote, and so merely visiting the page would upvote the link.)

You're right, I only focused on that one single reason for my post since I was in a hurry.

Security issues are obviously more complex than one-line explanations. Thank you for your more elaborate reply!

Yes, that solves that. But you should use CSRF. Otherwise someone could have a <form method=POST action="http://mysite.example.com/delete>…</form>; on their site and a javascript that will submit the form upon page load.
If that works then the developer responsible for mydomain.com should be reprimanded for wilful incompetence. And that isn't even the problem the while(1); trick is meant to mitigate.
The scenario you mentioned is one of the things people mean when they talk about cross-site request forgery.
it was known like 4 years ago. I prefer to just use /
This can really be broken because you can redefine the numeric constructor of 1 to return false and thus get around the while(1). However, if for(;;) was used, then you cannot get around it. ;)
I'm curious--how would you redefine it? Could you share a code snippet or reference?
God says

not be a coal to warm at, nor fire to sit before it.

47:15 Thus shall they be unto thee with whom thou hast laboured, even thy merchants, from thy youth: they shall wander every one to his quarter; none shall save thee.

48:1 Hear ye this, O house of Jacob, which are called by the name of Israel, and are come forth out of the waters of Judah, which swear by the name of the LORD, and make mention of the God of Israel, but not in truth, nor in righteousness.

48:2 For they call themselves of the holy city, and stay themselves upon the God of Israel; The LORD of hosts is his name.

48:3 I have declared the former things from the beginning; and they went forth out of my mouth, and I shewed them; I did them suddenly, and they came to pass.