Home arrow JavaScript arrow Page 2 - Programmatic GET Requests with JavaScript: Simple Way to Hack Your Site

Programmatic GET Requests with JavaScript: Simple Way to Hack Your Site

Trying to secure a website is a continual and frustrating process. Attacks, like Denial of Service, can come from many directions, especially when your web applications cannot reject external requests. Alegandro Gervasio shows us some valuable JavaScript in this article meant to help you secure your sites.

Author Info:
By: Alejandro Gervasio
Rating: 5 stars5 stars5 stars5 stars5 stars / 30
July 13, 2005
  1. · Programmatic GET Requests with JavaScript: Simple Way to Hack Your Site
  2. · A Quick Look At The XMLHttpRequest Object
  3. · When High Levels of Traffic Are Dangerous
  4. · Automated GET requests
  5. · Massive HTTP requests: Using a Timer

print this article

Programmatic GET Requests with JavaScript: Simple Way to Hack Your Site - A Quick Look At The XMLHttpRequest Object
(Page 2 of 5 )

A good place to start explaining how http requests are really used to attack a website is having a quick look at the XMLHttpRequest object. Since it’s not the primary concern of the article, I’ll give only brief reference about its methods and properties. There is plenty of information on the Web, just in case you’re interested on learning more on it. Otherwise, if you’re already familiar working with this object, feel free to skip this section and jump straight to the next one.

Essentially, the XMLHttpRequest object allows you to make requests to an http server, and get a response from it, without page reloads. All the requests can be handled in the background, in a transparent way. This means that the client-server interaction might be carried out silently, without notifying the user about what’s happening behind the scenes.

As any standard object, the XMLHttpRequest object exposes several useful methods, which may be resumed in the below list:

  • open("method","URL",async,"uname","pswd"): opens a http socket connection to the specified URL, using the given request method (GET/POST/PUT). Usually, the third parameter “async” is set to true, in order to make asynchronous requests. Basically, when an asynchronous request is made, the script won’t wait for the response from the server, and continue its execution after the “send()” method is invoked. Otherwise, the script will continue executing only after a server response is received. The other parameters are optional, in situations where "username” and “password” parameters are required for accessing documents.
  • send(string): sends the specified request. Commonly, in POST requests, the name/value pairs are passed as arguments to this method.
  • setRequestHeader("header name","header value"): allows a person to specify the name/value pair of the header to be send to the server, for instance: "Content-Type:text/html; charset=iso-8859-1".
  • getResponseHeader("headername"): returns the value of the given http header.
  • getAllResponseHeaders(): returns a string containing the complete set of http headers.
  • abort(): halts the request.

Aside from the methods described above, the object presents the following properties:

  • readyState: returns the state of the object, according to the request’s progress. Its possible values are: 0 = uninitialized, 1 = loading, 2 = loaded, 3 = interactive, 4 = complete.
  • responseText: returns the server response as a string. This property is useful to get the content of a web page, when used in conjunction with the GET method.
  • status: returns the request status as a numeric value. For instance, "200" for "OK".
  • statusText: as the name suggests, returns the request status as a string. For instance: "Not Found" for a 404 HTTP error.
  • responseXML: returns the server response as XML.
  • onreadystatechange: the proper event handler, which is triggered at every state change. On asynchronous requests, it’s useful for controlling the logic of the program, in accordance to the request status.

Now that you’ve learned the basics of the XMLHttpRequest object, these boring details are out of your way. You can turn your attention to the next few lines, where I’ll explain trough a simple example, how a potential attacker can use the object’s capabilities to inflict damage to unwarned websites using Denial of Service attacks (DoS).

blog comments powered by Disqus

- Project Nashorn to Make Java, JavaScript Wor...
- JavaScript Virus Attacks Tumblr Blogs
- Google Releases Stable Dart Version, JavaScr...
- Khan Academy Unveils New JavaScript Learning...
- Accessing Nitro? There`s an App for That
- JQuery 2.0 Leaving Older IE Versions Behind
- Fastest JavaScript Engine Might Surprise You
- Microsoft Adjusting Chakra for IE 10
- Brendan Eich: We Don`t Need Google Native Cl...
- An Overview of JavaScript Statements
- An Overview of JavaScript Operators
- Overview of JavaScript Variables
- More of the Top jQuery Social Plugins
- The Top jQuery Social Plugins
- More of the Top jQuery Slider Plugins

Watch our Tech Videos 
Dev Articles Forums 
 RSS  Articles
 RSS  Forums
 RSS  All Feeds
Write For Us 
Weekly Newsletter
Developer Updates  
Free Website Content 
Contact Us 
Site Map 
Privacy Policy 

Developer Shed Affiliates


© 2003-2019 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap
Popular Web Development Topics
All Web Development Tutorials