Recently, however,
usage of XML as a downstream option has dropped off significantly as it is quite often a
heavy structure for simple data. For example, in the case of a server merely sending
down an integer result to the client, a fully formatted XML message would have to be
constructed, which would result in a large amount of superfluous data being sent to the
client. Following is an example of a client calling a zip code lookup method on the server,
with the server returning data in an XML format. Here??™s the client request:
GET http://www.example.com/zipcode_lookup.jsp?city=seattle
And here??™s the server response:
98101
98102
Full JavaScript
Another technology from early AJAX applications is to send full JavaScript down to the
client. In almost all cases, the client then wraps the JavaScript sent from the server directly
into an eval(), which immediately executes the code. This option can often be
the attacker??™s best friend, as any code an attacker manages to inject will be immediately
Chapter 6: AJAX Types, Discovery, and Parameter Manipulation 149
eval()??™ed. Here??™s an example of a client calling a zip code lookup method on the server,
with the server returning full JavaScript, which will be executed in an eval() on the
client request.
Pages:
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287