This is a draft cheat sheet. It is a work in progress and is not finished yet.
Results in "thick" client-like functionality.
Begin using XMLHttpRequest object with xmlhttp = new XMLHttpRequest()
XMLHttpRequest Methods and Properties
Specifies the properties of the request, but it does NOT initiate a connection.
Creates the connection; specifies the function is called when the ready state changes.
Set with the state of the request
Sets which function should be called when ready state changes.
The response from the server is placed here.
The request is uninitiliazed
The request has been set up
The request has been sent
Waiting for a response
The response is complete
It provides information about the state of the server's response to a request.
Popular feature of AJAX enabled sites is to combine 2 or more apps to provide more features.
Proxies are often used to circumvent same-origin policy because AJAX does not change it. Many apps use a built-in proxy.
AJAX does not add new attacks but it does increase the attack surface because there is more client-side code and business logic on the client.
Typical attacks are XSS, SQLi, and it lends itself toward CSRF because functionality is called directly by the client code.
It is more difficult because many tools cannot parse and handle the client-side logic, especially dynamically generated links can cause issue
Manual work and tool verification is often necessary.
Burp and ZAP, with AJAX Spider, can often ably handle AJAX applications.
It is not more difficult but many tools require manual priming.
AJAX lends itself to complex frameworks; many common files are used within apps and functions are often included on all pages forsimplicity.
Non-AJAX applications can also make use of API files.
3rd party libraries/frameworks whether CDN-hosted or served locally can introduced their own vulnerabilities. Examples includes jQuery and MooTools.
Discovery often occurs during mapping, a spider should detect them (src attributes).
They can be parsed to find vulnerable or interesting functions, look for those that initiate or process HTTP requests (XMLHttpRequest).
Exploitation takes many forms and are based on the framework. Possibilities include the ability to call functions without authentication, gather information for further exploitation, or use a known-flaw to exploit.
Business logic residing on the client means the client receives more data, in some cases more than is required.
Developers rely on filtering on the client-side to display only what is necessary.
Data Formats: XML and JSON
There are 2 common formats that require parsing on client side: XML and JSON
XML is a tag-based format, that while common is heavier than other forms.
On the response side an attacker will look for extraneous data that can be used.
On the request side an attacker will look for the opportunity to inject attacks, such as SQLi or XSS.
JSON format is an array of arrays.
Exploitation of JSON is usually either information disclosure or injection.
JSON Information Disclosure is the easiest to find and is typically found browsing via proxy. Some applications send complete record sets.
JSON Injection focuses on request with the goal of intercepting them and injecting attack strings, SQLi and XSS being the most common. The client or server code can be targeted. The results may not be visible on the page, so using an interception proxy is necessary.
Note: JSON is unforgiving of syntax errors but the errors are often verbose, which can provide guidance.