addMessage and Chat.getMessages methods are easily identi?¬? ed by the
attacker. See Figure 6-3.
Figure 6-2 /dwr/ ?¬? les appear in WebScarab
158 Hacking Exposed Web 2.0
Framework Wrap-Up
Method discovery has always been an important first step in attacking web applications.
While in traditional Web 1.0 applications, method discovery was often a tedious and
error-prone process, AJAX applications have greatly simplified things for the attacker.
Method discovery can now typically be performed by looking at a single JavaScript file
sent from the server to the client. This file is almost always one of the first few files
served to a client when it connects to the target site. Additionally, the AJAX framework
in use by a web application is often very easily identified by locating telltale JavaScript
files. With this change in the way web applications expose their functionality, it is now
more important than ever that developers ensure that they truly understand what
information their applications are exposing to potentially hostile clients.
Figure 6-3 Method discovery in WebScarab
Chapter 6: AJAX Types, Discovery, and Parameter Manipulation 159
Parameter Manipulation
Popularity: 9
Simplicity: 8
Impact: 8
Risk Rating: 8
Parameter manipulation has been, and will continue to be, a source of constant attacks
against web applications.
Pages:
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302