The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Using an account you control, attempt to log in with variations on your

Download 5,76 Mb.

Pdf ko'rish

bet	267/875
Sana	01.01.2022
Hajmi	5,76 Mb.
	#293004

1 ... 263 264 265 266 267 268 269 270 ... 875

Bog'liq
3794 1008 4334

Using an account you control, attempt to log in with variations on your

own password: removing the last character, changing the case of a char-

acter, and removing any special typographical characters. If any of these

attempts is successful, continue experimenting to try and understand

what validation is actually occurring.

■

Feed any results back into your automated password guessing attacks, to

remove superfluous test cases and improve the chances of success.

Non-Unique Usernames

Some applications that support self-registration allow users to specify their

own username, and do not enforce a requirement that usernames be unique.

Although rare, the authors have encountered more than one application with

this behavior.

This represents a design flaw for two reasons:

■■

One user who shares a username with another user may also happen to

select the same password as that user, either during registration or in a

subsequent password change. In this eventuality, the application will

either reject the second user’s chosen password or will allow two

Download 5,76 Mb.

Do'stlaringiz bilan baham:

1 ... 263 264 265 266 267 268 269 270 ... 875