I have read and heard a lot of information about the new dangers related to Ajax enabled sites. I am really interested in methods being used by the "pros" to test ajax heavy sites.
Request modifications must happen the same way as traditional web app testing ocurrs. Catch the request in a proxy identify the changes you want to make and analyze the responses...
The problem with ajax enable sites is that the requests are not necessarily pre-defined and the creation of the requests are likely tied to workflow executed by the user. As a tester this creates some unique challenges. Somehow the tester must execute the javascript that generates the requests in a way that emulates a user's activity. Capture those requests, and modify them to test for weaknesses.
One method is to identify all the javascript functions loaded by a page and use the Javascript Shell bookmarklet (http://www.squarefree.com/shell/) to execute the functions while capturing the requests in a proxy. This method requires a phenomenal amount of application knowledge to perform. It is not fast or easy.
What are methods do you use for ajax site testing?
EW
EW,
For manual debugging of Ajax applications, I normally use FireFox because it has several useful plug-ins that help with not just Ajax but analysing web traffic in general and how the site is constructed. As debuggers go, Venkman and Firebug are very useful in following the logic as the page is rendered. It allows for a more interactive approach and let the browser handle the actual JavaScript execution. The traffic itself can be monitored by SPI Proxy or other FireFox plug-ins such as tamper or liveheaders. For a writeup on how to use the tools, please take a look at Hacking Web 2.0 Applications with Firefox. This paper does a basic walk through on using some of the tools I mentioned and has some other tools to run functions outside of the web application itself.
-Daniel
I just read my initial post and realized it was horribly worded. I apologize to everyone for that affliction, but I was at SPICon at the time and may have already been drinking.
Thanks for the reply I will look into the link you posted.
One of our engineers, Bryan Sullivan, recently wrote an article about teaching your QA department about how to test Ajax applications properly for security defects. It's a good read:
http://www.devcity.net/Articles/273/1/article.aspx
Enjoy!
Billy Hoffman--Lead Researcher, SPI LabsSPI Dynamics Inc. – http://www.spidynamics.comPhone: 678-781-4800Direct: 678-781-4845