Chapter 12  ■ Attacking Other Users

442

Chapter 12 

■

Attacking Other Users

though XSS was not possible. And of course, the attack will succeed even if

administrators take the precaution of disabling JavaScript.

In the preceding attack string, note the 

#

character that effectively termi-

nates the URL before the 

.gif

suffix. You could just as easily use 

&

to incorpo-

rate the suffix as a further request parameter.

HACK STEPS

■

In every location where data submitted by one user is displayed to other

users but you are unable to perform a stored XSS attack, review whether

Download 5,76 Mb.

Do'stlaringiz bilan baham: