The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Sometimes when tokens are created based on the output of a pseudo-

Download 5,76 Mb.

Pdf ko'rish

bet	334/875
Sana	01.01.2022
Hajmi	5,76 Mb.
	#293004

1 ... 330 331 332 333 334 335 336 337 ... 875

Bog'liq
3794 1008 4334

Sometimes when tokens are created based on the output of a pseudo-

random number generator, developers decide to construct each token by

concatenating together several sequential outputs from the generator. The

perceived rationale for this is that it creates a longer, and therefore “stronger”

token. However, this tactic is usually a mistake. If an attacker can obtain

several consecutive outputs from the generator, this may enable them to infer

some information about its internal state, and may in fact make it easier for

them to extrapolate the generator’s sequence of outputs, either forward or

backward.

HACK STEPS

■

First, determine when and how session tokens are issued by walking

through the application from the first application page through any login

Download 5,76 Mb.

Do'stlaringiz bilan baham:

1 ... 330 331 332 333 334 335 336 337 ... 875