The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Download 5,76 Mb.

Pdf ko'rish

bet	345/875
Sana	01.01.2022
Hajmi	5,76 Mb.
	#293004

1 ... 341 342 343 344 345 346 347 348 ... 875

Bog'liq
3794 1008 4334

sion tokens, verify whether the

secure

flag is set, preventing them from

ever being transmitted over unencrypted connections.

■

Determine whether, in the normal use of the application, session tokens

are ever transmitted over an unencrypted connection. If so, they should

be regarded as vulnerable to interception.

■

Where the start page uses HTTP, and the application switches to HTTPS

for the login and authenticated areas of the site, verify whether a new

token is issued following login, or whether a token transmitted during

the HTTP stage is still being used to track the user’s authenticated ses-

sion. Also verify whether the application will accept login over HTTP if

the login URL is modified accordingly.

■

Even if the application uses HTTPS for every single page, verify whether

Download 5,76 Mb.

Do'stlaringiz bilan baham:

1 ... 341 342 343 344 345 346 347 348 ... 875