O'Reilly logo

Web Security Testing Cookbook by Ben Walther, Paco Hope

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Chapter 10. Attacking AJAX

A distributed system is one in which the failure of a computer you didn’t even know existed can render your own computer unusable.

Leslie Lamport

AJAX stands for Asynchronous JavaScript and XML and it represents one of the cornerstone technologies in what is called “Web 2.0.” The distinction between Web 2.0 and Web 1.0 is pretty clear when you look at the interaction between the application and the user. Web 1.0 applications were pretty simple. You had some really basic building blocks: links and forms. You clicked on links and you filled in forms. By either clicking the link or clicking the Submit button, you sent a bunch of inputs to the application and it returned a response. Web 2.0 applications are more interactive, and you don’t see the whole screen change because you click a button. Instead, they can make small requests autonomously and asynchronously to the server and then update part of a page without refreshing the whole thing. The JavaScript running inside a web page can decide—for any number of reasons—that it needs data and can request it without your clicking anything.

A trivial example application of AJAX is a running stock ticker. Every 30 seconds, whether you click anything or not, it updates the current stock price on a part of your web page. Another example is an events calendar that reacts to the mouse hovering over a date, rather than clicking the date. As the mouse moves over a date (the onFocus event), the JavaScript in the web page ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required