[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

RE: Cracking AJAX? Done yet?

• From: "Nathan Young -X \(natyoung - Artizen at Cisco\)" <natyoung@c...>
• To: "Peter Hunsberger" <peter.hunsberger@g...>, <david.lyon@p...>
• Date: Tue, 7 Nov 2006 20:28:16 -0800

In some cases the web services that are used by javascript clients are
also available to anyone else, or they are a special version of a widely
available web service.

There are likely to be all the same access restrictions on the data
available via a raw XMLHttpRequest that there would be on a regular page
that contained that data so if by "cracking" you mean getting
unauthorized access I wouldn't expect a free lunch (that said, given the
current fever it may be that the security model on some services used by
ajaxs apps has been rushed out the door).

Anecdotally json is used pretty widely so I wouldn't count on ajax realy
being XML under the hood.  I'd give it a more even distribution between
XML, json and roll-your-own formats (and I have no numbers to back this
up).

--->N



.:||:._.:||:._.:||:._.:||:._.:||:._.:||:._.:||:._.:||:._.:||:._.:||:._.:
||:.

Nathan Young
Cisco.com->Interface Development
A: ncy1717
E: natyoung@c...  

> -----Original Message-----
> From: Peter Hunsberger [mailto:peter.hunsberger@g...] 
> Sent: Tuesday, November 07, 2006 7:33 PM
> To: david.lyon@p...
> Cc: xml-dev@l...
> Subject: Re:  Cracking AJAX? Done yet?
> 
> Not sure what you want to do, but you can mostly reverse engineer the
> Ajax calls.  Sometimes the underlying libraries are obscured, but at
> some level, every Ajax call begins with a Javascript invocation (plain
> text) from a web page.
> 
> In our case, this makes it easier to get at the underlying data, once
> you dig down far enough to figure out the calls you can invoke them
> directly and get the relevant XML (or sometimes other wise encoded)
> data directly.
> 
> There are tools to track the underlying HTML calls that work at the
> browser level -- you shouldn't have to resort to proxies -- but so far
> I've never had the need for them...
> 
> On 11/7/06, david.lyon@p... 
> <david.lyon@p...> wrote:
> > List,
> >
> > Since Ajax transfers xml data down the http pipe, is 
> anybody aware of
> > any http filters that can be used with ajax data to siphone the
> > information out?
> >
> > For example, some website sells computer parts and they are using
> > ajax. In the old days one would just screenscrape and parse the html
> > to get to the data. Now with ajax it's all going 
> up-and-down the html
> > pipe and not being seen.
> >
> > The data should be there, somewhere hiding in the pipe somewhere.
> >
> > So from the website, if we just click at the right spots, and filter
> > the http for xml tags, then we should get the data right?
> >
> > Maybe it can be done at the proxy server level?
> >
> > Just curious? has anybody tried?
> >
> >
> > David
> >
> > 
> ______________________________________________________________
> _________
> >
> > XML-DEV is a publicly archived, unmoderated list hosted by OASIS
> > to support XML implementation and development. To minimize
> > spam in the archives, you must subscribe before posting.
> >
> > [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
> > Or unsubscribe: xml-dev-unsubscribe@l...
> > subscribe: xml-dev-subscribe@l...
> > List archive: http://lists.xml.org/archives/xml-dev/
> > List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
> >
> >
> 
> 
> -- 
> Peter Hunsberger
> 
> ______________________________________________________________
> _________
> 
> XML-DEV is a publicly archived, unmoderated list hosted by OASIS
> to support XML implementation and development. To minimize
> spam in the archives, you must subscribe before posting.
> 
> [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
> Or unsubscribe: xml-dev-unsubscribe@l...
> subscribe: xml-dev-subscribe@l...
> List archive: http://lists.xml.org/archives/xml-dev/
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
>