“Anti-XSS protection” by adding )]}' before ajax response

Question

Google plus returns ajax requests with )]}\' on first line. I heard it is protection against XSS. Are there any examples what and how could anyone do with this with

Answer 1

Here's my best guess as to what's happening here.

First off, there are other aspects of the google json format that aren't quite valid json. So, in addition to any protection purposes, they may be using this specific string to signal that the rest of the file is in google-json format and needs to be interpreted accordingly.

Using this convention also means that the data feed wont execute from a call from a script tag, nor by interpreting the javascript directly from an eval(). This ensures front end developers are passing the content through a parser, which will keep any implanted code from executing.

So to answer your question, there are two plausible attacks that this prevents, one cross-site through a script tag, but the more interesting on is within-site. Both attacks assume that:

1. a bug exists in how user data is escaped and
2. it is exploited in a way that allows an attacker to inject code into one of the data feeds.

As a simple example, lets say a user figured out how to take a string like example

["example"] 

and changed it to "];alert('example');

[""];alert('example');"]

Now if when that data shows up in another user's feed, the attacker can execute arbitrary code in the user's browser. Since it's within site, cookies are being sent to the server and the attacker could automate things like sharing posts or messaging people from the user's account.

In the Google scenario, these attacks won't work for a number of reasons. The first 5 characters will cause a javascript error before the attack code is run. Plus, since developers are forced to parse the code instead of accidentally running it through an eval, this practice will prevent code from being executed anyway.