The process of obtaining methods exposed by the application is covered in Chapter 6.
As with most other frameworks, Xajax offers no built-in protection against CSRF
attacks. Since Xajax offers no built-in protections, developers will need to ensure that
their applications provide sufficient protection against CSRF. For attackers trying to
determine whether a Xajax application is vulnerable to CSRF attacks, the process is
similar to other frameworks. They simply need to view HTTP GET and POST requests to
a Xajax web application during normal usage. If these requests do not contain any secret
values, such as repeating the JSESSIONID in the body of the request like DWR, then the
web application is vulnerable to a CSRF attack.
For more information on CSRF attacks, refer to Chapter 4.
Fortunately for developers, however, while Xajax does not offer any built-in
protections to CSRF attacks, web applications using Xajax are immune from JavaScript
hijacking attacks. This is because JavaScript hijacking depends on the web application
sending data in JSON or JavaScript formats downstream in response to calling
Chapter 7: AJAX Framework Exposures 185
methods on the server. In all current versions, Xajax supports only sending data in
XML format.
Pages:
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335