Chapter 4  ■ Mapping the Application

banking application may implement every user action via a 

POST

request to 

/account.jsp

, and use parameters to communicate the

action being performed. If a spider refuses to make multiple requests to

this URL, it will miss most of the application’s content. Some applica-

tion spiders attempt to handle this situation (for example, Burp Spider

can be configured to individuate form submissions based on parameter

names and values); however, there may still be situations where a fully

automated approach is not completely effective.

■■

Conversely to the previous point, some applications place volatile data

within URLs that is not actually used to identify resources or functions

(for example, parameters containing timers or random number seeds).

Each page of the application may contain what appears to be a new set

of URLs that the spider must request, causing it to continue running

indefinitely.

■■

Where an application uses authentication, an effective application spi-

der must be able to handle this in order to access the functionality that

it protects. The spiders mentioned previously can achieve this, by man-

ually configuring them either with a token for an authenticated session

or with credentials to submit to the login function. However, even

when this is done, it is common to find that the operation of the spider

breaks the authenticated session for various reasons:

■■

By following all URLs, the spider will at some point request the

logout function, causing its session to break.

■■

If the spider submits invalid input to a sensitive function, the appli-

cation may defensively terminate the session.

■■

If the application uses per-page tokens, the spider will almost cer-

tainly fail to handle these properly by requesting pages out of their

expected sequence, probably causing the entire session to be termi-

nated.

Download 5,76 Mb.

Do'stlaringiz bilan baham: