Chapter 10. Attacking AJAX
A distributed system is one in which the failure of a computer you didn’t even know existed can render your own computer unusable.
AJAX stands for Asynchronous JavaScript and XML and it represents one of the cornerstone technologies in what is called “Web 2.0.” The distinction between Web 2.0 and Web 1.0 is pretty clear when you look at the interaction between the application and the user. Web 1.0 applications were pretty simple. You had some really basic building blocks: links and forms. You clicked on links and you filled in forms. By either clicking the link or clicking the Submit button, you sent a bunch of inputs to the application and it returned a response. Web 2.0 applications are more interactive, and you don’t see the whole screen change because you click a button. Instead, they can make small requests autonomously and asynchronously to the server and then update part of a page without refreshing the whole thing. The JavaScript running inside a web page can decide—for any number of reasons—that it needs data and can request it without your clicking anything.
A trivial example application of AJAX is a running stock ticker. Every
30 seconds, whether you click anything or not, it updates the current stock
price on a part of your web page. Another example is an events calendar that
reacts to the mouse hovering over a date, rather than clicking the date. As
the mouse moves over a date (the onFocus
event), the JavaScript in the web page ...
Get Web Security Testing Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.