The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

T I P

Data output in tab-delimited format can be easily loaded into

spreadsheet software such as Excel for further manipulation or tidying up. In

many situations, the output from a data-harvesting exercise can be used as the

input for another automated attack.

Fuzzing for Common Vulnerabilities

The third main use of bespoke automation does not involve targeting any

known vulnerability to enumerate or extract information. Rather, your objec-

tive is to probe the application with various crafted attack strings designed to

cause anomalous behavior within the application if particular common vul-

nerabilities are present. This type of attack is much less focused than the ones

previously described, for the following reasons:

■■

It generally involves submitting the same set of attack payloads as

every parameter to every page of the application, regardless of the nor-

mal function of each parameter or the type of data that the application

expects to receive. These payloads are sometimes referred to as fuzz

strings.

■■

You do not know in advance precisely how to identify hits. Rather than

monitoring the application’s responses for a specific indicator of suc-

cess, you generally need to capture as much detail as possible in a clear

form, so that this can be easily reviewed to identify cases where your

attack string has triggered some anomalous behavior within the appli-

cation, which merits further investigation.

As you have seen when examining various common web application flaws,

some vulnerabilities manifest themselves in the application’s behavior in par-

ticular recognizable ways, such as a specific error message or HTTP status

code. These vulnerability signatures can sometimes be relied upon to detect

common defects, and they are the means by which automated application vul-

nerability scanners identify the majority of their findings (see Chapter 19).

However, in principle, any test string you submit to the application may give

rise to any expected behavior that, in its particular context, points towards the

presence of a vulnerability. For this reason, an experienced attacker using

bespoke automated techniques is usually much more effective than any fully

automated tool can ever be. Such an attacker can perform an intelligent analy-

sis of every pertinent detail of the application’s responses. He can think like an

application designer and developer. And he can spot and investigate unusual

connections between requests and responses in a way that no current tool is

able to.

Download 5,76 Mb.

Do'stlaringiz bilan baham: