The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Do not fall into the trap of examining actions that the application per-

Download 5,76 Mb.

Pdf ko'rish

bet	356/875
Sana	01.01.2022
Hajmi	5,76 Mb.
	#293004

1 ... 352 353 354 355 356 357 358 359 ... 875

Bog'liq
3794 1008 4334

Do not fall into the trap of examining actions that the application per-

forms on the client-side token (such as cookie invalidation via a new

Set-Cookie

instruction, client-side script, or an expiration time

attribute). In terms of session termination, nothing much depends upon

what happens to the token within the client browser. Rather, investigate

whether session expiration is implemented on the server side:

■

Log in to the application to obtain a valid session token.

■

Wait for a period without using this token, and then submit a request

for a protected page (e.g., “my details”) using the token.

■

If the page is displayed as normal, then the token is still active.

■

Use trial and error to determine how long any session expiration time-

Download 5,76 Mb.

Do'stlaringiz bilan baham:

1 ... 352 353 354 355 356 357 358 359 ... 875