Web Security Testing Cookbook by Paco Hope, Ben Walther

AJAX stands for Asynchronous JavaScript and XML and it represents one of the cornerstone technologies in what is called “Web 2.0.” The distinction between Web 2.0 and Web 1.0 is pretty clear when you look at the interaction between the application and the user. Web 1.0 applications were pretty simple. You had some really basic building blocks: links and forms. You clicked on links and you filled in forms. By either clicking the link or clicking the Submit button, you sent a bunch of inputs to the application and it returned a response. Web 2.0 applications are more interactive, and you don’t see the whole screen change because you click a button. Instead, they can make small requests autonomously and asynchronously to the server and then update part of a page without refreshing the whole thing. The JavaScript running inside a web page can decide—for any number of reasons—that it needs data and can request it without your clicking anything.

A trivial example application of AJAX is a running stock ticker. Every 30 seconds, whether you click anything or not, it updates the current stock price on a part of your web page. Another example is an events calendar that reacts to the mouse hovering over a date, rather than clicking the date. As the mouse moves over a date (the onFocus event), the JavaScript in the web page ...