The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

respects (e.g., is numeric if the application is expecting a number)

Download 5,76 Mb.

Pdf ko'rish

bet	192/875
Sana	01.01.2022
Hajmi	5,76 Mb.
	#293004

1 ... 188 189 190 191 192 193 194 195 ... 875

Bog'liq
3794 1008 4334

respects (e.g., is numeric if the application is expecting a number).

■

If the application accepts the overlong data, you may infer that the

client-side validation is not replicated on the server.

■

Depending on the subsequent processing that the application performs

on the parameter, you may be able to leverage the defects in validation

to exploit other vulnerabilities such as SQL injection, cross-site scripting,

or buffer overflows.

Script-Based Validation

The input validation mechanisms built into HTML forms themselves are

extremely simple, and are insufficiently fine-grained to perform relevant vali-

dation of many kinds of input. For example, a user registration form might

contain fields for name, email address, telephone number, and ZIP code, all of

which expect different types of input. It is therefore very common to see cus-

tomized client-side input validation implemented within scripts. Consider the

following variation on the original example:

The

onsubmit

attribute of the form tag instructs the browser to execute the

ValidateForm

function when the user clicks the submit button and to submit the

form only if this function returns true. This mechanism enables the client-side

Download 5,76 Mb.

Do'stlaringiz bilan baham:

1 ... 188 189 190 191 192 193 194 195 ... 875