Hijacking XHRs with JavaScript

Scenario

In this example we modify our hijack approach to make a copy of the XHR object and then overwrite the entire object with a new locally created object that acts just like the original XHR by accessing the save methods but has our "snooping" code in place as well. We alert out the values you picked as well as the response but we also send it to our "hacker" site badguy.ajaxref.com using an image transport. Go look for yourself link.

The purpose of this example is to show that it is not a library specific issue, you are overriding the XHR deep enough the library in play is irrelevant.

Important Firebug Users - You must disable Firebug for this to work!

How do you feel about Ajax Security?

Who cares... - [ 1 2 3 4 5 ] - Scared out of my mind