In this
example, the client is calling the method getPeople. Note how the extensive display of
question marks in the example shows the number unprintable characters used in GWTs
custom serialization.
1?0?4?java.lang.String/2004016611?com.google.gwt.sample.dynatable
.client.SchoolCalendar
Service?getPeople?I?+0?1?+0?2?2?+0?3?+0?3?0?15?
AJAX Toolkit Wrap-Up
AJAX has significantly changed the ways in which applications appear on the wire. Web
applications are no longer bound to set formats such as name-value pairs or HTML for
communicating with clients. A successful attacker must now be concerned with
understanding both the downstream and upstream ways a client communicates with a
target application, as this will affect the outcome of any potential attack.
Chapter 6: AJAX Types, Discovery, and Parameter Manipulation 153
FRAMEWORK METHOD DISCOVERY
Before an attacker can attack a web application, he must discover what publicly available
methods the web application exposes. Once the attacker obtains a full list of the methods
an application exposes, targeted attacks against the application can begin.
In the Web 1.0 world, this process was often long and error-prone. This was because
to fully map the methods exposed by the application, every corner of the application had
to be explored.
Pages:
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294