Friday, February 23rd, 2007

OWASP Testing Guide 2.0

Category: Testing

Dan Moore noted that the good people at OWASP have recently released version 2 of their testing guide which is available on a Wiki, and as a PDF.

On the Ajax front there is good content such as:

Testing for Ajax Endpoints

Before an AJAX-enabled web application can be tested, the call endpoints for the asynchronous calls must be enumerated. See Application_Discovery_AoC for more information about how traditional web applications are discovered. For AJAX applications, there are two main approaches to determining call endpoints: parsing the HTML and JavaScript files and using a proxy to observe traffic.

The advantage of parsing the HTML and JavaScript files in a web application is that it can provide a more comprehensive view of the server-side capabilities that can be accessed from the client side. The drawback is that manually reviewing HTML and JavaScript content is tedious and, more importantly, the location and format of server-side URLs available to be accessed by AJAX calls are framework dependent.

The tester should look through HTML and JavaScript files to find URLs of additional application surface exposure. Searching for use of the XMLHttpRequest object in JavaScript code can help to focus these reviewing efforts. Also, by knowing the names of included JavaScript files, the tester can determine which AJAX frameworks appear to be in use. Once AJAX endpoints have been identified, the tester should further inspect the code to determine the format required of requests.

Posted by Dion Almaer at 5:26 am
Comment here

3.6 rating from 16 votes

Comments Here »

Comments feed TrackBack URI

Leave a comment

You must be logged in to post a comment.