XMLHttpRequest Security

Tue, 02 Jun 2020 00:00:00 +0000

It’s possible to intercept, adjust and otherwise tamper with a XHR request with javascript in the browser. The most common way of doing this is simply making a pointer reference to the original XMLHttpRequest.prototype.send function, overwriting that function with a new one that does the tampering and then calls the original send function once finished. Here’s an example:

const XHR = XMLHttpRequest,
 XHRopen = XHR.prototype.open;

 XHR.prototype.open = function() {
 onFinish();
 XHRopen.apply(this, arguments);
 };

Identifying Tampering

It’s very straight forward to identify tampering of the function. Simply ensure that the XMLHttpRequest.prototype.open.toString() === 'function send() { [native code] }'; evaluates to true. The function should always be native code if it wasn’t corrupted or tampered with.

XMLHttpRequest on Nathaniel Inman

XMLHttpRequest Security

Identifying Tampering