Intro & Instructions

This is a demo by Gary Fenton to show how a script kiddy messing around sending parameters to your backend script or leeching data from your website can be outfoxed or frustrated into giving up. It is by no means a method to secure your Ajax applications from being misused, but it will go some way to make some people believe you have secured it.

  1. Trigger a XMLHttpRequest by selecting an item just to the right and see the response from the server.
  2. The gray area at the bottom shows what data has been posted to the server.
  3. Try editing the data that's sent to the server. e.g. change the product name in the gray text area to dog or computer, then click the button.
  4. Next try altering the myToken value. The server won't respond if you send the wrong token back. It returns a 404 to confuse people who have messed around. Use the brilliant Firebug plugin for Firefox to see this.
  5. For the purpose of this demo the token expires in 90 seconds after this page loads. From then on all requests to the backend script are rejected.
  6. Reload this page to be issued with a new token for another 90 seconds.

Ajax Bouncer Demo

Select an item:


Tamper with the data that's sent to the server using the text box and submit button below.

Post data to server: