The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Finally, errors are often handled in an inconsistent manner within the appli-

cation, with some areas trapping and handling errors gracefully, while other

areas simply crash and return verbose debugging information to the user (see

Chapter 14). In this situation, it may be possible to gather information from the

error messages returned in one area and apply it to other areas where errors

are gracefully handled. For example, by manipulating request parameters in

systematic ways and monitoring the error messages received, it may be possi-

ble to determine the internal structure and logic of the application component

concerned; if you are lucky, aspects of this structure may be replicated in other

areas.

HACK STEPS

■

Download 5,76 Mb.

Do'stlaringiz bilan baham: