The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

at the time the challenge is completed. This provides absolutely no

enhanced security of the recovery process beyond possibly logging

the email address used by an attacker.

T I P

Even if the application does not provide an on-screen field for you to

provide an email address to receive the recovery URL, the application may

transmit the address via a hidden form field or cookie. This presents a double

opportunity: you can discover the email address of the user you have

compromised, and you can modify its value to receive the recovery URL at an

address of your choosing.

■■

Some applications allow users to reset their password’s value directly

after successful completion of a challenge and do not send any email

notification to the user. This means that the compromising of an

account by an attacker will not be noticed until the owner happens to

attempt to log in again, and may even remain unnoticed if the owner

assumes that they must have forgotten their own password and so

resets it in the same way. An attacker who simply desires some access

to the application can then compromise a different user’s account for

a period and so continue using the application indefinitely.

HACK STEPS

■

Download 5,76 Mb.

Do'stlaringiz bilan baham: