that is certainly session-dependent (such as a user-specific “my details”
page), and make several requests for it, systematically removing each
item that you suspect is being used as a token. If removing an item
causes the session-dependent page not to be returned, then this
may
confirm that the item is a session token. Burp Repeater is a useful tool
for performing these tests.
Alternatives to Sessions
Not every web application employs sessions, and some security-critical appli-
cations containing authentication mechanisms and complex functionality opt
to use other techniques for managing state. There are two possible alternatives
that you are likely to encounter:
■■
HTTP authentication —
Applications using the various HTTP-based
authentication technologies (basic, digest, NTLM, etc.) sometimes avoid
the need to use sessions. With HTTP authentication, the client compo-
nent interacts with the authentication mechanism directly via the
Do'stlaringiz bilan baham: |