No internet connection
  1. Home
  2. Issues

Error in the personal data export JSON

By Nicola Larosa @teknico2021-03-13 11:22:33.318Z

When exporting personal data from the Preferences page, the downloaded JSON begins with a spurious line containing:

)]}',
Solved in post #2, click to view
  • 2 replies
  1. KajMagnus @KajMagnus2021-03-13 19:33:04.333Z2021-03-13 19:40:43.633Z

    It's a security thing that prevents the JSON from being parsed as Javascript — so a malicious external website cannot load people's private JSON via JSONP, see:

    JSON Vulnerability Protection
    https://docs.angularjs.org/api/ng/service/$http#json-vulnerability-protection

    The malicious party website, would try to send a cross-site request forgery request via a <script> tag, and rely on a weird Javascript feature: The Array constructor can be changed to something else. Here are details:

    http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx

    They link to a blog post describing how Gmail got hacked in that way, 15 years ago: "... discovered a vulnerability in GMail where it became trivial to compromise someone's email contact list ..."
    https://blog.jeremiahgrossman.com/2006/01/advanced-web-attack-techniques-using.html

    ***

    Talkyard's Javascript code removes the ")]}'," prefix before parsing the JSON.

    However, if you access the JSON from the same domain (same origin), then that prefix actually shouldn't be needed. But it's there anyway.

    Reply1 LikeSolution
    1. KajMagnus @KajMagnus2021-04-09 12:03:58.856Z2021-04-09 12:10:09.765Z

      Update: Newer Talkyard versions might add )]}', only if the API response returns an array (but not an object).

      Details:

      The exploit works by modifying the array constructor so it becomes a statement, but that works only if an array is returned as the top level thing. So, the )]}' isn't needed if returning an object.

      From the haacked article:

      Mitigations
      One common mitigation is to make sure that your JSON service always returns its response as a non-array JSON object. For example, with ASP .NET Ajax script services, they always append a “d” property to the response [...]

      { “d” : [“bankaccountnumber”, “$1234.56”] }

      Because this is not a valid JavaScript statement, it cannot be parsed and instantiated as a new object in JavaScript. This therefore prevents the cross-site scripting attack from accessing data from AJAX JSON services on other domains.

      (I'm changing this, because I think it's annoying with )]}' when looking in Dev Tools)

      (I marked my previous reply as the answer)