The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Download 5,76 Mb.

Pdf ko'rish

bet	391/875
Sana	01.01.2022
Hajmi	5,76 Mb.
	#293004

1 ... 387 388 389 390 391 392 393 394 ... 875

Bog'liq
3794 1008 4334

C O M M O N M Y T H

“No low-privileged users will know that URL. We don’t

reference it anywhere within the application.”

In the example just described, the absence of any genuine access control still

constitutes a serious vulnerability, regardless of how easy it would be to guess

the URL. URLs do not have the status of secrets, either within the application

itself or in the hands of its users. They are displayed on-screen, and appear in

browser histories and the logs of web servers and proxy servers. Users may write

Chapter 8

■

Attacking Access Controls 219

70779c08v6.5.qxd 9/14/07 3:18 PM Page 219

them down, bookmark them, or email them around. They are not normally

changed periodically, as passwords should be. When users change job roles, and

Download 5,76 Mb.

Do'stlaringiz bilan baham:

1 ... 387 388 389 390 391 392 393 394 ... 875