yzT yzT - 6 months ago 26
Ajax Question

Can't see AJAX call in proxy/chrome's dev tools

The following code snippet is used by a coworker to get an URL from a DB and then submit a "virtual" form to that URL.

url: location.origin + location.pathname + "data/getURL.php",
method: "POST",
data: {
userName: user
success: function( data : any, textStatus : string, jqXHR : JQueryXHR){
var url = (JSON.parse(data)).url;

if(url !== undefined && url !== null && url !== ""){
var sender : HTMLFormElement = document.createElement("form");
sender.setAttribute("action", `http://${url}/receive`);
sender.setAttribute("method", "POST");

var userSenderField = document.createElement("input");
userSenderField.setAttribute("type", "hidden");
userSenderField.setAttribute("name", "user");
userSenderField.setAttribute("value", user);

var passSenderField = document.createElement("input");
passSenderField.setAttribute("type", "hidden");
passSenderField.setAttribute("name", "password");
passSenderField.setAttribute("value", password);


Using either Burp Suite or just Chrome's Dev Tools, I can see the call to
but then I can't see the call to
. Why?


For the sake of argument, let's say your ajax call to data/getURL.php succeeded, but delivered bad or unexpected data.

You then end up in your ajax call's success handler.

The success handler immediately creates a new form, populates it with (the bad) data, and submits the form.

This causes a postback to happen.

Chrome's dev tools clear the network panel upon postback by default, also clearing the call to "data/getURL.php", so you never actually saw the call succeed, and could not see in the net panel what it did. (ergo, you had no idea that data/getURL.php delivered the wrong data to you.

if you put a breakpoint in your ajax success handler before it submits the form, you can actually see what is going on.