Chapter 11  ■ Attacking Application Logic  373

The majority of interesting attacks against web applications involve targeting

the server-side application itself. Many of these attacks do of course impinge

upon other users — for example, an SQL injection attack that steals other

users’ data. But the essential methodology of the attacker is to interact with the

server in unexpected ways in order to perform unauthorized actions and

access unauthorized data.

The attacks described in this chapter are in a different category, because the

primary target of the attacker is the application’s other users. All of the rele-

vant vulnerabilities still exist within the server-side application. However, the

attacker leverages some aspect of the application’s behavior in order to carry

out malicious actions against another end user. These actions may result in

some of the same effects that we have already examined, such as session

hijacking, unauthorized actions, and the disclosure of personal data. They may

also result in other undesirable outcomes, such as logging of keystrokes or exe-

cution of arbitrary commands on users’ computers.

Other areas of software security have witnessed a gradual shift in focus

from server-side to client-side attacks in recent years. To take one example,

Microsoft used to announce serious security vulnerabilities within their server

products on a frequent basis. Although numerous client-side flaws were also

disclosed, these received much less attention because servers presented a

much more appealing target for most attackers. In just a few years, this situa-

tion has changed markedly. At the time of this writing, no critical security