AJAX How to test AoC
Because most attacks against AJAX applications are analogs of attacks against traditional web applications, testers should refer to other sections of the testing guide to look for specific parameter manipulations to use in order to discover vulnerabilities. The challenge with AJAX-enabled applications is often finding the endpoints that are the targets for the asynchronous calls and then determining the proper format for requests.
Description of the Issue
...here: Short Description of the Issue: Topic and Explanation
Black Box testing and example
Testing for AJAX Endpoints:
The advantage of using a proxy to observe traffic is that the actual requests demonstrate conclusively where the application is sending requests and what format those requests are in. The disadvantage is that only the endpoints that the application actually makes calls to will be revealed. The tester must fully exercise the remote application and even then there could be additional call endpoints that are available but not actively in use.
By enumerating the AJAX endpoints available in an application and determining the required request format the tester can set the stage for further analysis of the application. Once endpoints and proper request formats have been determined, the tester can use a web proxy and standard web application parameter manipulation techniques to look for SQL injection and parameter tampering attacks.
Gray Box testing and example
Testing for Topic X vulnerabilities:
OWASP Testing Guide v2
Here is the OWASP Testing Guide v2 Table of Contents