The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

If the application segregates user access to different levels of functional-

Download 5,76 Mb.

Pdf ko'rish

bet	402/875
Sana	01.01.2022
Hajmi	5,76 Mb.
	#293004

1 ... 398 399 400 401 402 403 404 405 ... 875

Bog'liq
3794 1008 4334

If the application segregates user access to different levels of functional-

ity, first use a powerful account to locate all of the available functionality

and then attempt to access this using a lower-privileged account.

■

If the application segregates user access to different resources (such as

documents), use two different user-level accounts to test whether access

controls are effective or whether horizontal privilege escalation is possi-

ble. Find a document that can be legitimately accessed by one user but

not by another, and attempt to access it using the second user’s

account — either by requesting the relevant URL or by submitting the

same

POST

parameters from within the second user’s session.

■

It may be possible to automate some of this testing by running a spider-

Download 5,76 Mb.

Do'stlaringiz bilan baham:

1 ... 398 399 400 401 402 403 404 405 ... 875