Is it possible to know that a HTTP request is from Ajax?If yes, how?
Many frameworks add a header X-Requested-With set to XMLHttpRequest when sending an AJAX request. If you are using jQuery or Microsoft frameworks, this should work. If using another framework, you'll have to check the documentation. Since normal requests don't have the header, a check for the presence of the header should be sufficient.
If you are using your own "home-built" AJAX or the framework doesn't do this, but does allow you to set a header, you could simply follow this convention and add your own header when making the request.
Most frameworks set X-Requested-With header to state it. But standard AJAX requests doesn't.
I would assume that any request received by a server would appear to be the same (ie http post/get) and that you would need to look at the referer, but that may just give you the browser details?
Related
It's that even possible to handle that kind of request? I can't find a decent explanation.
From a network perspective, an Ajax request is just a regular HTTP request, sometimes with some specific HTTP headers such as X-Requested-With or CORS headers.
Gatling sends HTTP requests (or other protocol), so it really doesn't care that a request is an "Ajax" one.
Then, Gatling is not a browser, so it doesn't run your client-side JavaScript and won't automatically trigger Ajax requests for you. You have to include them explicitly in your scenario.
I have a setup where a client application is running on a different domain (http://www.example.com) than the server application (http://www.example2.com). I've got the cross domain AJAX requests working except that I cannot figure out a way to send cookies with the request without having to add the Access-Control-Allow-Origin response header for each possible domain. Is there a way to set this up without having to specify a list of domains in that header? I'm aware of the security implications so I guess what I'm really asking is ... is there another framework separate from CORS that I can use which will allow this type of setup and at the same time allow any domain for the client application? I tried JSONP but that did not work out (could not send the cookie with the JSONP request). Is there something else I should try other than CORS and JSONP? Thanks.
EDIT: This is not a duplicate of the question mentioned in the duplicate notification. I'm already aware of the withCredentials flag. The problem is that I don't want to have to specify a list of domains in the CORS response header. I want something equivalent to setting that value to '*', but setting it to '*' is not allowed if sending a cross domain AJAX request that contains cookies.
Are there any AJAX client tools for interrogating ajax endpoints?
I am using firebug for development and have installed some addons for manipulating the request headers.
However, I am finding this to be quite unproductive as I need to set the X-Requested-With in the header whenever I want to test my AJAX endpoint and then remove it for testing my pages normally.
I am looking for a GUI tool which allows me to point it to an AJAX endpoint and craft a request, be it a JSON request or just a standard GET/POST request.
Something equivalent to Pinta (for testing AMF requests) in the AJAX world would be nice.
Do any tools like this exist?
I just found HttpRequest (a FireFox addon) that can do this. Simply just set the request header x-requested-with to XMLHttpRequest and away you go!
will any webserver [IIS possibly] know whether a request is an AJAX request or a Normal one.
If you are using native XmlHttpRequests then there is no difference between this request and once generated by visiting a page or submitting a form. If you use jQuery to create the AJAX request then is adds a request header X-Requested-With: XMLHttpRequest. This header could be used to distinguish AJAX and non-AJAX requests.
Some (most?) frameworks can send a custom header, but, really, an ajax request is just the same as a "normal" request from the point of view of the server.
If you use curl, wget, telnet, or a program you write yourself, then the web server handles the request the same way - at the end of the day, it's all HTTP.
The easiest way for the receiving page to 'know' would be to send a query string parameter. This isn't 100% safe though.
Firebug can show you what is being sent to the server from both types of requests, try it out.
Possibly, it is not the webserver that can distinguish, but the server side code might be able to distinguish. If you are talking about ASP.NET and AJAX, then ScriptManager.IsInAsyncPostBack can be used to find whether a postback is from AJAX or not.
My team is building a site that uses AJAX calls to WCF services for all state changes. Those services only accept a request if its method is POST and its Content-Type is 'application/json'. Assuming that our site has no XSS vulnerabilities, is this sufficient protection against CSRF for our WCF services? Is it possible for an attacker to create a cross-site POST with a custom Content-Type header?
[EDIT]
Obviously there are several ways for a malicious third party site to construct an HTTP POST request to my site. As far as I am aware, however, none of these methods allow for changing the Content-Type header. XHR and Flash both let you set headers, but have strict cross-site restrictions.
Probably, but why not go ahead and check the HTTP Referrer header? Then you will know for sure.