The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

fields within a single page of an application. In the previous example, suppose

Download 5,76 Mb.

Pdf ko'rish

bet	706/875
Sana	01.01.2022
Hajmi	5,76 Mb.
	#293004

1 ... 702 703 704 705 706 707 708 709 ... 875

Bog'liq
3794 1008 4334

. In this scenario, despite the

fields within a single page of an application. In the previous example, suppose

that the

page_id

and

mode

parameters are subject to a maximum length of 12

characters. Because these fields are so short, the application’s developers did

not bother to implement any XSS filters. The

seed

parameter, on the other

hand, is unrestricted in length, and so rigorous filters were implemented to

prevent the injection of the characters

“ <

>

. In this scenario, despite the

developers’ efforts, it is still possible to insert an arbitrarily long script into the

seed

parameter without employing any of the blocked characters, because the

JavaScript context can be created by data injected into the surrounding fields.

A third technique for beating length limits, which can be highly effective in

some situations, is to “convert” a reflected XSS flaw into a DOM-based vul-

nerability. For example, in the original reflected XSS vulnerability, if the appli-

cation places a length restriction on the

message

parameter that is copied into

Download 5,76 Mb.

Do'stlaringiz bilan baham:

1 ... 702 703 704 705 706 707 708 709 ... 875