The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

are submitted, and so you will not identify these if you simply walk

Download 5,76 Mb.

Pdf ko'rish

bet	198/875
Sana	01.01.2022
Hajmi	5,76 Mb.
	#293004

1 ... 194 195 196 197 198 199 200 201 ... 875

Bog'liq
3794 1008 4334

are submitted, and so you will not identify these if you simply walk

through the application’s functionality monitoring the requests issued by

the browser. To identify disabled elements, you need to monitor the

server’s responses or view the page source in your browser. You can also

use the automated “find and replace” function of your intercepting proxy

to remove occurrences of the disabled attribute within input tags. See

Chapter 19 for details of this feature.

Capturing User Data: Thick-Client Components

Besides HTML forms, the other main method for capturing, validating, and

submitting user data is to use a thick-client component. The technologies you

are most likely to encounter here are Java applets, ActiveX controls, and

Shockwave Flash objects.

Thick-client components can capture data in various different ways, both via

input forms and in some cases by interacting with the client operating system’s

file system or registry. They can perform arbitrarily complex validation and

manipulation of captured data prior to submission to the server. Further,

because their internal workings are less transparently visible than HTML forms

and JavaScript, developers are more likely to assume that the validation they

perform cannot be circumvented. For this reason, thick-client components are

often a fruitful means of discovering vulnerabilities within web applications.

N OT E

Download 5,76 Mb.

Do'stlaringiz bilan baham:

1 ... 194 195 196 197 198 199 200 201 ... 875