Web Security : Attacking AJAX - Observing Live AJAX Requests

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019

1. Problem

Before you can test AJAX at all, you must be able to view the AJAX requests themselves. You want to see when the request happens, the URL that is requested, and any parameters in that request.

2. Solution

Beyond basic HTTP interception, there are more interesting ways to observe AJAX requests. Load your application where AJAX calls are used, and open Firebug.

In Firebug’s “Net” tab, you should see a list of all the requests issued after you browsed to the current page. If your application regularly triggers AJAX requests (e.g., on a timer), you should start to see them as additional requests in this tab. You may need to move the mouse over certain elements on the page to trigger requests. Figure 1 shows an example of using Firebug’s Net tab to observe XMLHTTPRequests going to Google maps.

Figure 1. Viewing underlying AJAX for Google maps

If you’re only interested in images, returned JavaScript, or raw XMLHttpRequest results, you may filter by those options on the second menu bar. By clicking on any of the individual requests, you can observe the request parameters, the HTTP headers, and the response from the server. By viewing these requests, you can enumerate all the various parameters and URLs your app uses for AJAX functionality.

3. Discussion

When security experts discuss AJAX-related functionality, the one line you’ll hear over and over again is: “AJAX increases the application’s surface area.” This means there is an increased number of requests, parameters, or inputs where an attacker might sneak something in.

One aspect that is rarely discussed is that increased surface area can be of benefit to testers. Yes, the application’s JavaScript is laid bare for attackers to peruse. This also means that there is no excuse to limit oneself to black-box AJAX testing. When each AJAX request can be traced back to the individual line of JavaScript, testers have access to a wealth of information. You can see how the request is formulated—where it pulls data from, how it serializes it, transforms it, and sends it. You can see the logic driving the selection of data and how that logic might be used.

It’s not enough to just enumerate the requests and parameters and try difficult combinations. Now much more application functionality is exposed. In order to do web application testing right, one must understand the underlying logic. Even if your situation doesn’t allow you access to the raw source code, accessing the JavaScript is one way to peek inside.

Top 10
Free Mobile And Desktop Apps For Accessing Restricted Websites
TOYOTA CAMRY 2; 2.5 : Camry now more comely
KIA SORENTO 2.2CRDi : Fuel-sipping slugger
How To Setup, Password Protect & Encrypt Wireless Internet Connection
Emulate And Run iPad Apps On Windows, Mac OS X & Linux With iPadian
Backup & Restore Game Progress From Any Game With SaveGameProgress
Generate A Facebook Timeline Cover Using A Free App
New App for Women ‘Remix’ Offers Fashion Advice & Style Tips
SG50 Ferrari F12berlinetta : Prancing Horse for Lion City's 50th
- Messages forwarded by Outlook rule go nowhere
- Create and Deploy Windows 7 Image
- How do I check to see if my exchange 2003 is an open relay? (not using a open relay tester tool online, but on the console)
- Creating and using an unencrypted cookie in ASP.NET
- Directories
- Poor Performance on Sharepoint 2010 Server
- SBS 2008 ~ The e-mail alias already exists...
- Public to Private IP - DNS Changes
- Send Email from Winform application
- How to create a .mdb file from ms sql server database.......
programming4us programming4us