3

Looking at firebug, gmail sends GET requests to get something like:

while (true); &&&START&&&{"Success":true,"Body":{"Contacts":"[[,[,,\"83473f5sc6b17e0\",,[[,1,\"1\"]\n]\n[,,,[,,[,[,,,,,,,,,,,[[,1]\n
...
} &&&END&&&
  • What are these arrays? Are these some sort of RPC?
  • How are they consumed by the client code? More specifically, how would closure library use them?
  • What is the advantage of this approach over plain json and REST?
ali
  • 531
  • 5
  • 22

1 Answers1

6

Looks like ordinary JSON, most likely a response to a RPC, but with the body encoded in some way (probably to reduce the size and therefore bandwidth usage). The while (true); bit is to avoid cross-site access to the data using a script tag pointing to the RPC endpoint - by crashing the script before it reaches the juicy private information it can prevent evil sites from using the data. Parsing instead would use JSON.parse or similar, after stripping off everything outside the start and end tags.

This kind of compressed encoding can be helpful if you are running a huge site like gmail, and have control over the client side. REST is however very useful for third-party developers, as it's easier to debug (and document!). The while(true) bits, however, are essential for any API that allows GET and carries sensitive data in the response.

bdonlan
  • 224,562
  • 31
  • 268
  • 324
  • How exactly the while(true) helps to avoid cross-site access to sensitive data? – Alex Objelean Jan 08 '12 at 09:57
  • The same question here: how does `while(true)` protect the sensitive data? The attacker can also parse the string. Also, why is that `[,,,,,,]` is excessively used? – ali Jan 08 '12 at 15:14
  • 1
    The attacker cannot parse the string, due to the same-origin policy. They can only include it, as executable code, in the page - the infinite loop stops the data from being executed (at which point cleverly replacing the array/map constructors can net the attacker the data). As for the `[,,,,,,]`, I don't know. It's some kind of internal gmail encoding. You'd need to reverse-engineer gmail's javascript to find out. – bdonlan Jan 08 '12 at 19:23
  • 1
    Those `[,,,,,]` seem to be serialized protocol buffers using closure library, [here](http://www.google.com/codesearch#epIciakqvFc/trunk/closure/goog/proto2/pbliteserializer_test.html&q=,,,%20package:http://closure-library%5C.googlecode%5C.com&type=cs&l=116) is a test unit example. – ali Jan 08 '12 at 20:37