Re: [xml-dev] Cracking AJAX? Done yet?

[Tei <oscar.vives@gmail.com>]

OFF-TOPIC

On 11/8/06, Peter Hunsberger <peter.hunsberger@gmail.com> wrote:
> Not sure what you want to do, but you can mostly reverse engineer the
> Ajax calls.  Sometimes the underlying libraries are obscured, but at
> some level, every Ajax call begins with a Javascript invocation (plain
> text) from a web page.
>
> In our case, this makes it easier to get at the underlying data, once
> you dig down far enough to figure out the calls you can invoke them
> directly and get the relevant XML (or sometimes other wise encoded)
> data directly.
>
> There are tools to track the underlying HTML calls that work at the
> browser level -- you shouldn't have to resort to proxies -- but so far
> I've never had the need for them...

On firefox you can use LiveHTTPHeaders extension to capture all the
HTTP trafick on a readable way. Very usefull to analize & debug AJAX.
For other browser you can always use a cheapo proxy and activate all
the logging. As example SpoonProxy able that. So you can capture
everything the browser send or receive.
If the browser is embeded on other program, you have not acces to
proxy configurations, theres network tools like Ethereal to capture
trafick.
With ajax you always have the client side code, and communication
samples, only the server side code is unknom on non-FOSS software.

About the original subject. Imho, yes. A ajax call need to validate
the call, as a normal web page do. On PHP you can track a $_SESSION
var, and takes 1 line of code. Hee!, you reuse the auth method you use
on all other pages.

if (!$_SESSION["userLogued"]) {  echo 0; exit() }

A number of ajax apps will ignore or forget to add that line, and will
be posible to break into applications trough ajax.