[wizkid]

Hi All,

Google Suggest and Google Maps [ref 1] are some of the notable early adopters of Ajax. Companies are now thinking of how they too can leverage it, web developers are trying to learn it, security professionals are thinking of how to secure it, and penetration testers are thinking of how to hack it

http://www.securityfocus.com/infocus/1868

reg

wizkid

[vjsreevs]

While testing a regular web application, a penetration tester starts by footprinting the application. The intent of the footprint phase is to capture the requests and responses so that the tester understands how the application communicates with the server and the responses it receives.
The information is logged through local proxies such as Burp
It is important to be as complete as possible during the footprint phase so that the tester logs requests to all pages used by the application.

After that step, the tester will start the process of methodical fault injection, either manually or using automated tools, to test parameters that are passed to and from the web server.

Ajax complicates this methodology because of its asynchronous nature.
Ajax applications are typically noisier when compared to regular web applications.

An application may make multiple requests in the background even when it appears to be static to a user.

A tester has to be aware of several situations which might cause difficulties with the application testing process.

The issue of "state"
Requests initiated through timer events
Dynamic DOM updates
XML Fuzzing

The tester has to ensure that developers have not deviated from a secure architecture.

[AjayKumar.Kataram]

nice info...