The
error mechanism, therefore, presented a critical security threat. Because
administrative users sometimes received these detailed error messages, an
attacker monitoring error messages would soon obtain sufficient information
to compromise the entire application.
HACK STEPS
■
To detect a flaw of this kind, first catalog all of the anomalous events and
conditions that can be generated and that involve interesting user-spe-
cific information being returned to the browser in an unusual way, such
as a debugging error message.
■
Using the application as two users in parallel, systematically engineer
Do'stlaringiz bilan baham: