1. Problem
Before you can test AJAX at all, you must be able to view the AJAX
requests themselves. You want to see when the request happens, the URL
that is requested, and any parameters in that request.
2. Solution
Beyond basic HTTP interception, there are
more interesting ways to observe AJAX requests. Load your application
where AJAX calls are used, and open Firebug.
In Firebug’s “Net” tab, you should see a list of all the requests
issued after you browsed to the current page. If your application
regularly triggers AJAX requests (e.g., on a timer), you should start to
see them as additional requests in this tab. You may need to move the
mouse over certain elements on the page to trigger requests. Figure 1 shows an example of using Firebug’s Net
tab to observe XMLHTTPRequests going to Google
maps.
If you’re only interested in images, returned JavaScript, or raw
XMLHttpRequest results, you may
filter by those options on the second menu bar. By clicking on any of the
individual requests, you can observe the request parameters, the HTTP
headers, and the response from the server. By viewing these requests,
you can enumerate all the various parameters and URLs your app uses for
AJAX functionality.
3. Discussion
When security experts discuss AJAX-related functionality, the one
line you’ll hear over and over again is: “AJAX increases the
application’s surface area.” This means there is an increased number of
requests, parameters, or inputs where an attacker might sneak something
in.
One aspect that is rarely discussed is that increased surface area
can be of benefit to testers. Yes, the application’s JavaScript is laid
bare for attackers to peruse. This also means that there is no excuse to
limit oneself to black-box AJAX testing. When each AJAX request can be
traced back to the individual line of JavaScript, testers have access to
a wealth of information. You can see how the request is formulated—where
it pulls data from, how it serializes it, transforms it, and sends it.
You can see the logic driving the selection of data and how that logic
might be used.
It’s not enough to just enumerate the requests and parameters and
try difficult combinations. Now much more application functionality is
exposed. In order to do web application testing right, one must
understand the underlying logic. Even if your situation doesn’t allow
you access to the raw source code, accessing the JavaScript is one way
to peek inside.
