The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

ing tool twice or more against the application, using a different user con-

Download 5,76 Mb. Pdf ko'rish bet 403/875 Sana 01.01.2022 Hajmi 5,76 Mb. #293004

ing tool twice or more against the application, using a different user con- text each time, and also in an unauthenticated context. To do this, run the spider first as an administrator, and then obtain a session token for a lower-privileged user and resubmit the same links but replace the privi- leged session token with the lower-privileged token. ■ If a spidering session running as an ordinary user discovers privileged functions to which only administrators should have access, then this may represent a vulnerability. Note, however, that the effectiveness of this method depends upon the exact behavior of the application: some appli- cations provide all users with the same navigation links and return an “access denied” message (in an HTTP 200 response) when an unautho- Download 5,76 Mb. Do'stlaringiz bilan baham: