The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

methods. If possible, find a way of attacking the problem in two stages

Download 5,76 Mb.

Pdf ko'rish

bet	145/875
Sana	01.01.2022
Hajmi	5,76 Mb.
	#293004

1 ... 141 142 143 144 145 146 147 148 ... 875

Bog'liq
3794 1008 4334

Mapping the Application

methods. If possible, find a way of attacking the problem in two stages,

first enumerating servlets and then methods within these. Using a similar

method to the one used for URL-specified content, compile lists of com-

mon items, add to these by inferring from the names actually observed,

and generate large numbers of requests based on these.

■

If applicable, compile a map of application content based on functional

paths, showing all of the enumerated functions and the logical paths and

dependencies between them.

78

Chapter 4

■

Mapping the Application

70779c04.qxd:WileyRed 9/14/07 3:12 PM Page 78

Discovering Hidden Parameters

A variation on the situation where an application uses request parameters to

specify which function should be performed arises where other parameters

are used to control the application’s logic in significant ways. For example, an

application may behave differently if the parameter

debug=true

is added to

the query string of any URL — it might turn off certain input validation

checks, allow the user to bypass certain access controls, or display verbose

debug information in its response. In many cases, the fact that the application

handles this parameter cannot be directly inferred from any of its content (for

example, it does not include

debug=false

in the URLs that it publishes as

hyperlinks). The effect of the parameter can only be detected by guessing a

range of values until the correct one is submitted.

HACK STEPS

■

Download 5,76 Mb.

Do'stlaringiz bilan baham:

1 ... 141 142 143 144 145 146 147 148 ... 875