AJAX introduces complexity into the development and testing of web applications. Due to its asynchronous nature, the concept of a single page no longer exists within Web 2.0 applications since any number of web requests could be running in the background to generate, and regenerate, the content of an ever-changing page. This also means that the old style of crawling a web application to enumerate the pages and access points (or parameters) within these pages doesn't necessarily work sufficiently anymore. The tester needs to remember that the pages that were originally crawled may later consist of completely different content, parameters, and links. This places a massive emphasis on "state," which often can only be differentiated by a human eye, rather than an automated web application scanner. Many web application testing tools do not take this into account, causing the testing to be incomplete if the tester relies solely on the tool's output, which unfortunately is quite common, even among professional testing organizations.
Firebug has an option to show XMLHttpRequests as you are browsing web pages, allowing you to enumerate XHR calls, as shown in Figure 13-10.
£>* Inspect dear Al HTML CSS K XHR Images Flash Lonsole HI ML LbS bcript DUM Net - typpahpadJripniRphp facabooLcom 2KB 328ms
Params HpaiW« Rpfponw Response Headers
Date Tue, 2S Sep 2007 13:24:09 CUT
Server Ap ache/1.3.37.fbl
Last-Modified Tue, 25 Sep 2007 06:24:09 -0700
Keep-Alive LiaeuuL-60, H.HX-3J3 rnnriprtinn it/*»
Content Type text/heal; charset-utf 0
Host ww. faceboofe. com
User-Agent Husilla/5.0 (Viiuduvi, U, Wi»iduws NT 5.1, wi~U3 , iv. 22.214.171.124) G«cku/£0 070314 Fite tux/2 . 0. 0. 7
Accept c axt /xn.1 , applieat ion/xbi , applicat ion/iiht al+xiil /lxtml; q=0. 9 pt«xt /plainpq=0. 8 , imaga/prn^, */* ; q=0. £
Accept-Lanqua qe en-us,en;q=u.J>
Acccpt Encoding triip,<le£late
Arrppt-fhar^pt TSn-ARS«»-] ,iir.f-R;<|=n 7.*;r|=n 7
Referer http: //um. f acebook. com/s .phptref=search
Figure 13-10 Firebug reveals XMLHttpRequests within a Web 2.0 application.
Once an XHR call has been enumerated, the tester is then able to view the HTTP headers, the HTTP response, and the parameters within the AJAX call. This may reveal requests and parameters that you couldn't find with traditional web application testing techniques. Chickenfoot is a scripting add-on that allows client-side actions, such as OnClick events, to be automated allowing fast discovery of AJAX calls.
Was this article helpful?
Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.