SUMMARY
As shown, numerous steps are involved in the information gathering process that occurs
before successful attacks can be launched on an AJAX application. An attacker must
cover areas such as what type of AJAX application is in use, what its methods are, and
whether any of the methods appear to be unintentionally exposed. However, the attacker??™s
job is made significantly easier by the availability of several free tools that can help
at every stage of this process. Once the process is complete, targeted technical attacks
such as XSS and cross-site request forgery can begin in earnest.
177
7
AJAX
Framework
Exposures
178 Hacking Exposed Web 2.0
Exposures of AJAX frameworks are generally quite similar and are often caused by
developers??™ lack of understanding of what information their application is sending
to clients. This lack of understanding is easily compounded by the use of different
AJAX frameworks. One style of framework might by default send only certain data to
users of an application and another style of framework might send entirely different
data. While this may not seem like a security issue in and of itself, web applications often
contain functionality or information that developers expect to remain secret.
Pages:
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320