Programmatic GET Requests with JavaScript: Simple Way to Hack Your Site
(Page 1 of 5 )
Trying to secure a website is a continual and frustrating process. Attacks, like Denial of Service, can come from many directions, especially when your web applications cannot reject external requests. Alegandro Gervasio shows us some valuable JavaScript in this article meant to help you secure your sites.
Introduction Recently, I had the opportunity to work on a medium-sized Web project, which involved the development of different modules that demanded a carefully planned mutual interaction. Some of these modules required access to protected sections of the website, through a centralized access control mechanism, so critical security issues had to be tested as thoroughly as possible.
In order to check some of the possible vulnerabilities and evaluate potential weak points within the program, a server-side application was used. It emulated automatic GET and POST requests for determining whether the website application was capable of rejecting external attacks, at least the ones aimed primarily at generating Denial of Service situations (DoS).
After performing the verification process and implementing accordingly some possible solutions within the program, such as noisy image generation and on-the-fly session encrypted data, a clear idea came up to mind about the topic. Certainly, we all have seen many unprotected websites being easily crashed by malicious programs installed on remote computers that launch massive requests to the targeted server, causing either severe slow downs or complete system hangs.
However, most of these programs are client applications running on non Web-based platforms. But now, the scenario is definitely a little different. As you probably know, many popular server-side languages make it quite easy to work with sockets, and this mere fact turns developing http-based hacking tools into a simple experience.
Focusing on client-side programming, the growing use of JavaScript as a fairly new tool to make http requests in the background without reloading a page, through the popular XMLHttpRequest object, has brought a new generation of Web-based hacking techniques that expand the vast plethora of existing tools, making it even easier for inexperienced attackers to execute malicious code on targeted websites.
As I said before, the idea that emerged from my previous experience was to write a simple JavaScript program. It would be aimed mainly at illustrating, in real conditions, how easily an unprotected website can be attacked by users with bad intentions through the generation of programmatic GET/POST requests. As a result, hopefully this tutorial will be helpful for those trying to build safer Web applications, and implement from the very beginning well-defined security strategies.
However, before I go deeper into the required explanations, a few things need to be clarified. First, this article is not intended to encourage the use of programs for hacking purposes, since it merely demonstrates that some websites may expose some vulnerabilities that need to be properly addressed. And second, the responsibility in the use of the source code is left completely in the hands of the reader.
Having said that, let’s move on to making HTTP requests in the background.
Next: A Quick Look At The XMLHttpRequest Object >>
More JavaScript Articles
More By Alejandro Gervasio
