Chapter 4  ■ Mapping the Application

Representing an application’s functionality in this way is often more useful

even in cases where the usual picture based on application pages can be

applied without any problems. The logical relationships and dependencies

between different functions may not correspond to the directory structure

used within URLs. It is these logical relationships that are of most interest to

you, both in understanding the core functionality of the application, and in

formulating possible attacks against it. By identifying these, you can better

understand the expectations and assumptions of the application’s developers

when implementing the functions, and attempt to find ways of violating these

assumptions, causing unexpected behavior within the application.

In applications where functions are identified using a request parameter,

rather than the URL, this has implications for the enumeration of application

content. In the previous example, the content discovery exercises described so

far are unlikely to uncover any hidden content. Those techniques need to be

adapted to the mechanisms actually used by the application for accessing

functionality.

HACK STEPS

■

Download 5,76 Mb.

Do'stlaringiz bilan baham: