The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Some web applications employ client-side SSL certificates or cryptographic

mechanisms implemented within smartcards. Because of the overhead of

administering and distributing these items, they are typically used only in

security-critical contexts where an application’s user base is small.

The HTTP-based authentication mechanisms (basic, digest, and Windows-

integrated) are rarely used on the Internet, and are much more commonly

encountered in intranet environments where an organization’s internal users

gain access to corporate applications by supplying their normal network or

domain credentials, which are processed by the application via one of these

technologies.

Third-party authentication services such as Microsoft Passport are occasion-

ally encountered, but at the present time have not been adopted on any signif-

icant scale.

Most of the vulnerabilities and attacks that arise in relation to authentication

can be applied to any of the technologies mentioned. Because of its over-

whelming dominance, we will describe each specific vulnerability and attack

in the context of HTML forms-based authentication, and where relevant will

point towards any specific differences and attack methodologies that are rele-

vant to the other available technologies.

Download 5,76 Mb.

Do'stlaringiz bilan baham: