A good place to start explaining how http requests are really used to attack a website is having a quick look at the XMLHttpRequest object. Since it’s not the primary concern of the article, I’ll give only brief reference about its methods and properties. There is plenty of information on the Web, just in case you’re interested on learning more on it. Otherwise, if you’re already familiar working with this object, feel free to skip this section and jump straight to the next one.
Essentially, the XMLHttpRequest object allows you to make requests to an http server, and get a response from it, without page reloads. All the requests can be handled in the background, in a transparent way. This means that the client-server interaction might be carried out silently, without notifying the user about what’s happening behind the scenes.
As any standard object, the XMLHttpRequest object exposes several useful methods, which may be resumed in the below list:
open("method","URL",async,"uname","pswd"): opens a http socket connection to the specified URL, using the given request method (GET/POST/PUT). Usually, the third parameter “async” is set to true, in order to make asynchronous requests. Basically, when an asynchronous request is made, the script won’t wait for the response from the server, and continue its execution after the “send()” method is invoked. Otherwise, the script will continue executing only after a server response is received. The other parameters are optional, in situations where "username” and “password” parameters are required for accessing documents.
send(string): sends the specified request. Commonly, in POST requests, the name/value pairs are passed as arguments to this method.
setRequestHeader("header name","header value"): allows a person to specify the name/value pair of the header to be send to the server, for instance: "Content-Type:text/html; charset=iso-8859-1".
getResponseHeader("headername"): returns the value of the given http header.
getAllResponseHeaders(): returns a string containing the complete set of http headers.
abort(): halts the request.
Aside from the methods described above, the object presents the following properties:
readyState: returns the state of the object, according to the request’s progress. Its possible values are: 0 = uninitialized, 1 = loading, 2 = loaded, 3 = interactive, 4 = complete.
responseText: returns the server response as a string. This property is useful to get the content of a web page, when used in conjunction with the GET method.
status: returns the request status as a numeric value. For instance, "200" for "OK".
statusText: as the name suggests, returns the request status as a string. For instance: "Not Found" for a 404 HTTP error.
responseXML: returns the server response as XML.
onreadystatechange: the proper event handler, which is triggered at every state change. On asynchronous requests, it’s useful for controlling the logic of the program, in accordance to the request status.
Now that you’ve learned the basics of the XMLHttpRequest object, these boring details are out of your way. You can turn your attention to the next few lines, where I’ll explain trough a simple example, how a potential attacker can use the object’s capabilities to inflict damage to unwarned websites using Denial of Service attacks (DoS).