1. Install and run an intercepting web proxy, which allows the user to modify
requests before they are sent to the server as well as responses from the server
before they are received. In this example, OWASP WebScarab is used as the
intercepting web proxy (www.owasp.org/index.php/Category:OWASP_
WebScarab_Project). Several other free web proxies are often used and worth
mentioning, such as Paros (www.parosproxy.org/index.shtml) and BurpProxy
(www.portswigger.net/proxy).
2. Point the web browser at WebScarab, which will be running on the localhost at
port 8008 by default. See Figure 6-1.
Figure 6-1 The browser con?¬? guration process
Chapter 6: AJAX Types, Discovery, and Parameter Manipulation 157
3. Connect to the target site and look for ?¬? les that can identify the framework in
use. For example, in the case of DWR, look for URLs containing JavaScript ?¬? les
being served from a /dwr/. See Figure 6-2.
4. Once the framework has been identi?¬? ed, perform method discovery by
opening ?¬? les that likely contain a full list of methods. In this case, the
JavaScript ?¬? le being served from the /dwr/ directory is the likely choice.
Sure enough, once the Chat.js ?¬? le is double-clicked and opened, the Chat
.
Pages:
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301