Is the json Hijacking same as jsonp hiJacking?
maybe they are the same thing?
Related
I debugged some of Facebook's internal endpoints and I found a wired response payload.It contains a for loop and JSON blob, why and what could you do with this loop?
Endpoint:
https://www.facebook.com/ajax/bootloader-endpoint/?modules=PagesCometHeaderActionsMenuWrapper.react&__user=100015575597279&__a=1&__dyn=7AzHK4HwBgC265Q2m3m8GEnxenFw9uu2i5U4e2O14xtoK3q322aewXwnEboG4E6icwJwpUe8hw8u1_w5nCxS320LE36xOfwwwto88hwKx-8wgolzUOm0Z84a3aUS2G2CaCzU7W8wnolwBgK7qwpE31wLxG4UaoC9xy48aU8od8-Uqxy1qxi4UaEW1-xS6FobrwKxm5oe8aU&__csr=i-ABExfiGWDGZmGJ5ybF2krpA9OeahlWQhhebaFUwFqZ34Xy9nNydnV11KyVaiE8CBx7b5PPi4nqiu-QFBbmjO5BllBeLIgWDiGyGWx2-ZrG8VF39KuG8jyLb8hqyuHo-nluKAuG-iiboGuad_BAmiOCoB5ja4ohyHF3SEqzoRqHBxm8wNCxqagF3Q2KPVpcGWB8Qcc8Fabj9O3R8Z2ol1jBh5XBxhy8hhGh9A9gl8i4W8FGvzUybyXgnoBaEJyJUqz6VWHYyjC8qidAAQozTF27KjCxCb89aFEw89rJeFQEvG46kx8hpEz9HgEEACA9xumgN8C9l4xfxG48jx6q4XwOwXp8lCyUcoAwlo6S585O5F42e-ESuh28eovy826zU1io17ywA40lXDwNwgbhF8a1GAyp8R90Vwlokwj86a5UO1nymUd81Zo6y0aFw9hwAwiUkFotO3o2iZw0zNg0BJDxS05M8&__req=4b&__beoa=1&__pc=EXP2%3Acomet_pkg&dpr=1&__ccg=EXCELLENT&__rev=1002161314&__s=1230in%3Abrvifg%3Amzu1bs&__hsi=6830485538918903931-0&__comet_req=1&fb_dtsg_ag=AQwgOCcgcTnzy1lHrbQZrrvOi7cJxlEv9ZUjz_UIpjST3Q%3AAQzhkyxOruEzbCZ3LoN8vL-SCR6BlPZlbK4ENaGWHzZyhw&jazoest=28405&__spin_r=1002161314&__spin_b=trunk&__spin_t=1590346344
Example json:
for (;;);{"bootloadable":{"BanzaiODS":{"r":["csr:_4b_2"],"rds":{"m":["BanzaiODS","BanzaiScuba"]}},"FbtLogging":{"r":["csr:_4b_3"]},"Banzai":{"r":["csr:_4b_4"],"rds":{"m":["BanzaiODS","BanzaiScuba"]}},"BanzaiScuba":{"r":["csr:_4b_5"],"rds":{"m":["BanzaiODS","BanzaiScuba"]}...
It's a protection againt JSON hijacking. The goal is to invalidate JSON data in order to prevent these kind of attacks.
You can find more information on JSON hijacking in the following links :
a presentation of JSON hijacking : https://dev.to/antogarand/why-facebooks-api-starts-with-a-for-loop-1eob
Is facebook suddenly safe against JSON hijacking?
Is JSON Hijacking still an issue in modern browsers?
I had an application that is running with servelets. I want to test that application using REST services or POSTMAN.
So, I want to know, whether it could be possible to convert a servelet application's request and response into JSON for testing it with Postman or REST services.
If this possible, how do I do this conversion?
Some context would be helpful. What does the request to your application look like?
You don't need to convert an application's request / response into JSON to use postman. Postman is pretty flexible, you can send a variety of request content types to your application.
As far as whether or not this is possible, absolutely. If you want to convert your request & response objects to JSON, consider using something like Jackson. You can use the ObjectMapper of this tool to go from JSON to POJO & vice versa
I have a REST API Endpoint endpoint/action. The method is POST having a json data in the request body. I have two headers for this
Content-Type=application/json
Custom-Header={"object":{"id":"someId"}}
The object is deserialized during processing and the "someId" is used for other processes
Was wondering if it is a good practice to send json strings/data in the http header. Couldn't find anything in the Http Header documentations.
Option would be just sending in the "someId" and fetching the object using the id
I have an issue trying to make a cross-domain ajax request for a json file. I can reach the file using jsonp, but on the client-side there is no jsonp response, and I have no control over changing that.
Is there a way to reach the file without cross-domain issues, through jsonp request, but then receive the response as json and parse it as json?
No, the response must be a function invocation. This is the basis of the JSONP convention. If you want access to some JSON data from your JSONP call, simply have the response invoke a function on your page, passing in the desired JSON data as a parameter.
I've modified my WebAPI to return JSONP, but how can I tell if it's really JSONP and not regular JSON? I understand that the "P" stands for Padding. Is there a physical, readable difference between JSON and JSONP?
jsonp will be in the form of this: (returned by the server of course)
"callbackFunction( { jsonSyntax } );"
jsonp is just JSON but with a callback javascript function wrapping it.