The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

content replacement rules to automatically modify items such as HTTP

Download 5,76 Mb.

Pdf ko'rish

bet	351/875
Sana	01.01.2022
Hajmi	5,76 Mb.
	#293004

1 ... 347 348 349 350 351 352 353 354 ... 875

Bog'liq
3794 1008 4334

content replacement rules to automatically modify items such as HTTP

cookies. If a large number of tokens are captured, and session hijacking

allows you to access sensitive data such as personal details, payment

information or user passwords, you can use the automated techniques

described in Chapter 13 to harvest all desired data belonging to other

application users.

Vulnerable Mapping of Tokens to Sessions

Various common vulnerabilities in session management mechanisms arise

because of weaknesses in the way the application maps the creation and pro-

cessing of session tokens to individual users’ sessions themselves.

The simplest weakness is to allow multiple valid tokens to be concurrently

assigned to the same user account. In virtually every application, there is no

legitimate reason why any user should have more than one session active at

any given time. Of course, it is fairly frequent for a user to abandon an active

session and start a new one — for example, because they have closed a

browser window or have moved to a different computer. But if a user appears

to be using two different sessions simultaneously, this usually indicates that a

Download 5,76 Mb.

Do'stlaringiz bilan baham:

1 ... 347 348 349 350 351 352 353 354 ... 875