4. Declare the methods in the application that Sajax will expose to clients in the
dynamically generated JavaScript. This is accomplished by calling the sajax_
export() function, which takes as arguments all methods to expose in a
comma-separated list.
5. Once the desire methods have been exposed, two ?¬? nal operations are
performed. First, Sajax is started and told to handle incoming clients by calling
the sajax_handle_client_request() method. Last, the dynamically
generated JavaScript is inserted into the HTML sent to the client by invoking
the sajax_show_javascript() Sajax method.
Common Exposures
Like several other AJAX frameworks, Sajax offers web application developers no built-in
protection against CSRF attacks. With no built-in protection, developers need to build CSRF
protection directly into their applications. To determine whether a Sajax application is
vulnerable to CSRF attacks, an attacker views the HTTP GET and POST requests to the
186 Hacking Exposed Web 2.0
application. If the requests contain only guessable information in the body and do not repeat
a secret value such as the JSESSIONID, then the application is vulnerable to CSRF attacks.
For more information on CSRF attacks, refer to Chapter 4.
Pages:
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337