In the first part of this article series, Alejandro Gervasio explained how the XMLHttpRequest object and be used to generate massive GET requests to a targeted server, in order to launch denial of service attacks. In this article, he shows how http POST requests, commonly used on Web forms to collect user data, can be automated, again leaving your system vulnerable to attack. With the information you learn from this series, you should be able to build more robust and safer Web applications, making your system less of a target.
Certainly, the program needs to be capable of tracking the status of the current http request. For doing that, I’ve defined the “displayStatus()” function, useful for tracking the request status. Its code looks like this:
The task that the above function must perform is simply to verify the status of the XMLHttpRequest object, by checking the value of the “readyState” property. Once the request has been completed, the function will append dynamically three regular paragraphs to the document tree, in order to display basic information about the status of the request.
As you can see, the values for the “status”, “statusText” and “responseText” properties are displayed, useful for tracking the server response. In particular, I’ve defined this function to show information in a rather rough way, but it might be improved by adding a more polished look and feel.
Certainly, there are a few functions that need to be deeply reviewed yet, to complete the program and make it fully functional. Also, a working example is definitely highly desired, so you can see how a visitor with bad intentions may use this technique for firing attacks, by exploiting the fairly weak structure present in Web forms.
DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware.