AJAX SECURITY

**wizkid** · 07-07-06, 04:21 PM

Hi All,

Google Suggest and Google Maps [ref 1] are some of the notable early adopters of Ajax. Companies are now thinking of how they too can leverage it, web developers are trying to learn it, security professionals are thinking of how to secure it, and penetration testers are thinking of how to hack it

http://www.securityfocus.com/infocus/1868

reg

wizkid

**vjsreevs** · 07-07-06, 04:29 PM

While testing a regular web application, a penetration tester starts by footprinting the application. The intent of the footprint phase is to capture the requests and responses so that the tester understands how the application communicates with the server and the responses it receives.
The information is logged through local proxies such as Burp
It is important to be as complete as possible during the footprint phase so that the tester logs requests to all pages used by the application.

After that step, the tester will start the process of methodical fault injection, either manually or using automated tools, to test parameters that are passed to and from the web server.

Ajax complicates this methodology because of its asynchronous nature.
Ajax applications are typically noisier when compared to regular web applications.

An application may make multiple requests in the background even when it appears to be static to a user.

A tester has to be aware of several situations which might cause difficulties with the application testing process.

The issue of "state"
Requests initiated through timer events
Dynamic DOM updates
XML Fuzzing

The tester has to ensure that developers have not deviated from a secure architecture.

**AjayKumar.Kataram** · 25-10-08, 01:40 AM

nice info...

07-07-06, 04:21 PM	#1 (permalink)
wizkid Moderator Join Date: Jun 2006 Location: India Posts: 960 Thanks: 0 Thanked 21 Times in 20 Posts Thanks: 0 Thanked 21 Times in 20 Posts Rep Power: 14	Hi All, Google Suggest and Google Maps [ref 1] are some of the notable early adopters of Ajax. Companies are now thinking of how they too can leverage it, web developers are trying to learn it, security professionals are thinking of how to secure it, and penetration testers are thinking of how to hack it http://www.securityfocus.com/infocus/1868 reg wizkid __________________ \"WHEN GOING GETS TOUGH, ONLY THE TOUGH GETS GOING\"

25-10-08, 01:40 AM	#3 (permalink)
AjayKumar.Kataram Moderator Join Date: Aug 2006 Location: Hyderabad,India Age: 29 Posts: 5,533 Thanks: 1048 Thanked 291 Times in 225 Posts Thanks: 1,048 Thanked 291 Times in 225 Posts Rep Power: 85	Re: AJAX SECURITY nice info... __________________ Bow to Shri Sai-Peace be to all Ajay Kataram visit my blog: http://wwwajaykataram.blogspot.com/

Thread Tools
Show Printable Version Email this Page
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread:

07-07-06, 04:29 PM	#2 (permalink)
vjsreevs Moderator Join Date: Apr 2006 Location: India Posts: 1,733 Thanks: 2 Thanked 145 Times in 134 Posts Thanks: 2 Thanked 145 Times in 134 Posts Rep Power: 31	While testing a regular web application, a penetration tester starts by footprinting the application. The intent of the footprint phase is to capture the requests and responses so that the tester understands how the application communicates with the server and the responses it receives. The information is logged through local proxies such as Burp It is important to be as complete as possible during the footprint phase so that the tester logs requests to all pages used by the application. After that step, the tester will start the process of methodical fault injection, either manually or using automated tools, to test parameters that are passed to and from the web server. Ajax complicates this methodology because of its asynchronous nature. Ajax applications are typically noisier when compared to regular web applications. An application may make multiple requests in the background even when it appears to be static to a user. A tester has to be aware of several situations which might cause difficulties with the application testing process. The issue of "state" Requests initiated through timer events Dynamic DOM updates XML Fuzzing The tester has to ensure that developers have not deviated from a secure architecture.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)