This object
will function as a proxy between JavaScript on the client and the methods the
client want to call that are located in the PHP application.
5. Mark which PHP methods should be exposed to the client. This step has the
most potential to affect the security of the application. This is normally achieved
by using the registerFunction() method, which takes the name of a PHP
method to be exposed as the argument. This function can then be called repeatedly
to append PHP methods you want to expose to the list. Another method of
exposing methods is described in detail in the ???Attack??? section that follows.
6. Once the desire methods have been exposed, two ?¬? nal operations are
performed. First, start Xajax and tell it to handle incoming clients by
calling the processRequests() method. Last, insert the dynamically
generated JavaScript into the HTML sent to the client by invoking the
printJavascript() Xajax method.
184 Hacking Exposed Web 2.0
Unintended Method Exposure
Popularity: 4
Simplicity: 6
Impact: 3
Risk Rating: 4
Unintended method exposure can be an issue for developers using Xajax. As discussed
in the Case Study on exposures at the end of this chapter, web application developers
may have previously relied on the fact that users of their web application would
know only about methods about which they were explicitly told.
Pages:
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333