Show Menu

AJAX Cheat Sheet (DRAFT) by

This is a draft cheat sheet. It is a work in progress and is not finished yet.

Asynch­ronous JavaScript and XML

AJAX enables Web 2.0 using JavaScript and XML to provide dynamic applic­ation functions.
Results in "­thi­ck" client­-like functi­ona­lity.
JavaScript creates XMLHtt­pRe­quest objects that can request and receive asynch­ron­ously, updating the display as responses are received.
XMLHtt­pRe­quest objects are the heart of AJAX, enabling JavaScript to make requests in the backgr­ound.
Begin using XMLHtt­pRe­quest object with xmlhttp = new XMLHtt­pRe­quest()

XMLHtt­pRe­quest Methods and Properties

Specifies the properties of the request, but it does NOT initiate a connec­tion.
Creates the connec­tion; specifies the function is called when the ready state changes.
Set with the state of the request
Sets which function should be called when ready state changes.
The response from the server is placed here.


The request is uninit­iliazed
The request has been set up
The request has been sent
Waiting for a response
The response is complete
It provides inform­ation about the state of the server's response to a request.


Popular feature of AJAX enabled sites is to combine 2 or more apps to provide more features.
Proxies are often used to circumvent same-o­rigin policy because AJAX does not change it. Many apps use a built-in proxy.
Main issue is control of URLs to proxy. Proxies use GET or POST parameters to call backend site. If these are changed an attacker can proxy to a different site or instruct it to load malicious JavaSc­ript. Check strings are often used to prevent this.

Attack Surface

AJAX does not add new attacks but it does increase the attack surface because there is more client­-side code and business logic on the client.
Typical attacks are XSS, SQLi, and it lends itself toward CSRF because functi­onality is called directly by the client code.

AJAX Mapping

It is more difficult because many tools cannot parse and handle the client­-side logic, especially dynami­cally generated links can cause issue
Manual work and tool verifi­cation is often necessary.
Burp and ZAP, with AJAX Spider, can often ably handle AJAX applic­ations.


It is not more difficult but many tools require manual priming.

JavaScript Librar­ies­/Fr­ame­works

AJAX lends itself to complex framew­orks; many common files are used within apps and functions are often included on all pages forsim­pli­city.
Non-AJAX applic­ations can also make use of API files.
Most commonly JavaScript files are included across the applic­ation containing business logic and technical functi­ona­lity. When features are present that we do not have access to it can help build malicious requests.
3rd party librar­ies­/fr­ame­works whether CDN-hosted or served locally can introduced their own vulner­abi­lities. Examples includes jQuery and MooTools.
Discovery often occurs during mapping, a spider should detect them (src attrib­utes).
They can be parsed to find vulnerable or intere­sting functions, look for those that initiate or process HTTP requests (XMLHt­tpR­equest).
Exploi­tation takes many forms and are based on the framework. Possib­ilities include the ability to call functions without authen­tic­ation, gather inform­ation for further exploi­tation, or use a known-flaw to exploit.

Data Attacks

Business logic residing on the client means the client receives more data, in some cases more than is required.
Developers rely on filtering on the client­-side to display only what is necessary.

Data Formats: XML and JSON

There are 2 common formats that require parsing on client side: XML and JSON
XML is a tag-based format, that while common is heavier than other forms.
JSON, or JavaScript Object Notation, is a lightw­eight interc­han­geable format for both requests and responses, which client­-side JavaScript loads into memory.
Typically, JSON uses eval() to invoke JavaScript compiler to parse text and project object structure. It is very fast but runs the risk of executing any JavaScript program present. It is safer to use a JSON parser.
On the response side an attacker will look for extraneous data that can be used.
On the request side an attacker will look for the opport­unity to inject attacks, such as SQLi or XSS.
JSON format is an array of arrays.
Exploi­tation of JSON is usually either inform­ation disclosure or injection.
JSON Inform­ation Disclosure is the easiest to find and is typically found browsing via proxy. Some applic­ations send complete record sets.
JSON Injection focuses on request with the goal of interc­epting them and injecting attack strings, SQLi and XSS being the most common. The client or server code can be targeted. The results may not be visible on the page, so using an interc­eption proxy is necessary.
Note: JSON is unforg­iving of syntax errors but the errors are often verbose, which can provide guidance.