The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws


Chapter 7  ■ Attacking Session Management



Download 5,76 Mb.
Pdf ko'rish
bet343/875
Sana01.01.2022
Hajmi5,76 Mb.
#293004
1   ...   339   340   341   342   343   344   345   346   ...   875
Bog'liq
3794 1008 4334

Chapter 7 



Attacking Session Management



193

70779c07.qxd:WileyRed  9/14/07  3:13 PM  Page 193



within the authenticated area, by using the Back button, or by typing

the URL directly.

■■

In a variation on the previous case, the application may attempt to



switch to HTTPS when the user clicks the Login link; however, it may

still accept a login over HTTP if the user modifies the URL accordingly.

In this situation, a suitably positioned attacker can modify the pages

returned in the preauthenticated areas of the site so that the Login link

points to an HTTP page. Even if the application issues a fresh session

token after successful login, the attacker may still intercept this token if

he has successfully downgraded the user’s connection to HTTP. 

■■

Some applications use HTTP for all static content within the applica-



tion, such as images, scripts, style sheets, and page templates. This

behavior is often indicated by a warning alert within the user’s

browser, as shown in Figure 7-3. As described previously, an attacker

can intercept the user’s session token when the user’s browser accesses

a resource over HTTP, and use this token to access protected, nonstatic

areas of the site over HTTPS.



Figure 7-3:  Browsers present a warning alert 

when a page accessed over HTTPS contains 

items accessed over HTTP.

■■

Even if an application uses HTTPS for every single page, including



unauthenticated areas of the site and static content, there may still be

circumstances in which users’ tokens are transmitted over HTTP. If an

attacker can somehow induce a user to make a request over HTTP

(either to the HTTP service on the same server if one is running or to

http://server:443/

otherwise), then their token may be submitted.

Means by which the attacker may attempt this include sending the user

a URL in an email or instant message, placing auto-loading links into a

web site the attacker controls, or using clickable banner ads. (See Chap-

ter 12 for more details about techniques of this kind for delivering

attacks against other users.)


Download 5,76 Mb.

Do'stlaringiz bilan baham:
1   ...   339   340   341   342   343   344   345   346   ...   875



Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling
kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha

yuklab olish