From an attacker??™s perspective, it is key to understand what technologies are being
used to send data upstream and downstream on the wire to attack an application successfully.
For example, if the attacker is attempting to perform a cross-site scripting (XSS)
attack, the difference between traffic being sent to the client in an name-value format
versus a JavaScript Object Notation (JSON) format can significantly change how the
attack will need to be performed. Luckily for an attacker, while some applications communicate
in their own proprietary format, a large percentage of AJAX applications use
one of the following technologies in their downstream or upstream communication.
Downstream Traf?¬? c
The communication sent from the server to the client is referred to as downstream traffic.
While the majority of traffic sent downstream will be HTML and images, the traffic containing
results from when the client calls a method on the server is useful for an attacker
to learn how to perform an attack against the application. The results can be sent in any
format, but they are often sent in one of the several formats described here.
XML
In traditional AJAX applications, the technology of choice for downstream data was
XML because of the XML parsing capability built into the browser.
Pages:
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286