The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Download 5,76 Mb.

Pdf ko'rish

bet	319/875
Sana	01.01.2022
Hajmi	5,76 Mb.
	#293004

1 ... 315 316 317 318 319 320 321 322 ... 875

Bog'liq
3794 1008 4334

HACK STEPS (continued)

■

The application issues a new item in response to every request.

■

The data in the item appears to be encrypted (and so has no dis-

cernible structure) or signed (and so contains meaningful structure

accompanied by a few bytes of meaningless binary data).

■

The application may reject attempts to submit the same item with

more than one request.

■

If the evidence suggests strongly that the application is not using session

tokens to manage state, then it is unlikely that any of the attacks

described within this chapter will achieve anything. Your time is likely to

be much better spent looking for other serious issues such as broken

access controls or code injection.

Weaknesses in Session Token Generation

Session management mechanisms are often vulnerable to attack because

tokens are generated in an unsafe manner that enables an attacker to identify

the values of tokens that have been issued to other users.

Download 5,76 Mb.

Do'stlaringiz bilan baham:

1 ... 315 316 317 318 319 320 321 322 ... 875