Web Security : Attacking AJAX - Observing Live AJAX Requests

8/30/2012 2:42:46 AM

1. Problem

Before you can test AJAX at all, you must be able to view the AJAX requests themselves. You want to see when the request happens, the URL that is requested, and any parameters in that request.

2. Solution

Beyond basic HTTP interception, there are more interesting ways to observe AJAX requests. Load your application where AJAX calls are used, and open Firebug.

In Firebug’s “Net” tab, you should see a list of all the requests issued after you browsed to the current page. If your application regularly triggers AJAX requests (e.g., on a timer), you should start to see them as additional requests in this tab. You may need to move the mouse over certain elements on the page to trigger requests. Figure 1 shows an example of using Firebug’s Net tab to observe XMLHTTPRequests going to Google maps.

Figure 1. Viewing underlying AJAX for Google maps

If you’re only interested in images, returned JavaScript, or raw XMLHttpRequest results, you may filter by those options on the second menu bar. By clicking on any of the individual requests, you can observe the request parameters, the HTTP headers, and the response from the server. By viewing these requests, you can enumerate all the various parameters and URLs your app uses for AJAX functionality.

3. Discussion

When security experts discuss AJAX-related functionality, the one line you’ll hear over and over again is: “AJAX increases the application’s surface area.” This means there is an increased number of requests, parameters, or inputs where an attacker might sneak something in.

One aspect that is rarely discussed is that increased surface area can be of benefit to testers. Yes, the application’s JavaScript is laid bare for attackers to peruse. This also means that there is no excuse to limit oneself to black-box AJAX testing. When each AJAX request can be traced back to the individual line of JavaScript, testers have access to a wealth of information. You can see how the request is formulated—where it pulls data from, how it serializes it, transforms it, and sends it. You can see the logic driving the selection of data and how that logic might be used.

It’s not enough to just enumerate the requests and parameters and try difficult combinations. Now much more application functionality is exposed. In order to do web application testing right, one must understand the underlying logic. Even if your situation doesn’t allow you access to the raw source code, accessing the JavaScript is one way to peek inside.

PS4 game trailer XBox One game trailer
WiiU game trailer 3ds game trailer
Top 10 Video Game
-   Guncraft X360 Trailer
-   Disgaea 5: Alliance of Vengeance | Official Trailer
-   XCOM 2 [PC] E3 2015 Gameplay Trailer
-   RONIN | Turn-Based Action Platformer
-   Balance Benny | Trailer
-   We Happy Few | An Uncle Jack Episode - Nighty Night, The Pied Piper of Hamlyn, Part1
-   Beyond Good & Evil 2 | Teaser Trailer
-   Pokemon Shuffle | iOS and Android Trailer
-   Shantae: Risky's Revenge - Director's Cut Trailer
-   LEGO Minifigures Online | Launch Trailer
-   Typoman | Concept Trailer
-   Scrolls | Official Launch Trailer
-   Warhammer 40,000: Regicide [PC] Early Access Update Trailer
-   Anna's Quest Trailer
-   DiRT Rally [PC] The Road So Far... Trailer
Game of War | Kate Upton Commercial