The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Download 5,76 Mb.

1 ... 801 802 803 804 805 806 807 808 ... 875

Bog'liq
3794 1008 4334

Web application fuzzing —

In describing the practical steps for detect-

ing common web application vulnerabilities, we have seen numerous

examples where the best approach to detection is to submit various

unexpected items of data and attack strings, and review the applica-

472

Chapter 13

■

Automating Bespoke Attacks

70779c13.qxd:WileyRed 9/14/07 3:14 PM Page 472

tion’s responses for any anomalies that indicate that the flaw may be

present. In a large application, your initial mapping exercises may iden-

tify dozens of distinct requests which you need to probe, each contain-

ing numerous different parameters. To test each case manually is

time-consuming and mind-numbing, and liable to leave a large part of

the attack surface neglected. Using bespoke automation, however, you

can very quickly generate huge numbers of requests containing com-

mon attack strings, and quickly assess the server’s responses to home in

on interesting cases that merit further investigation. This technique is

often referred to as fuzzing.

We will examine in detail each of these three situations, and the ways in

which bespoke automated techniques can be leveraged to vastly enhance your

attacks against an application.

Download 5,76 Mb.

Do'stlaringiz bilan baham:

1 ... 801 802 803 804 805 806 807 808 ... 875