The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

whether this uncovers or gives access to any additional functionality than

Download 5,76 Mb.

Pdf ko'rish

bet	406/875
Sana	01.01.2022
Hajmi	5,76 Mb.
	#293004

1 ... 402 403 404 405 406 407 408 409 ... 875

Bog'liq
3794 1008 4334

Review all client-side HTML and scripts to find references to hidden func

whether this uncovers or gives access to any additional functionality than

your user context has normal access to.

■

Test whether the application uses the

Referer

header as the basis for

making access control decisions. For key application functions that you

are authorized to access, try removing or modifying the

Referer

header

and determine whether your request is still successful. If not, the appli-

cation may be trusting the

Referer

header in an unsafe way.

■

Review all client-side HTML and scripts to find references to hidden func-

tionality or functionality that can be manipulated on the client side, such

as script-based user interfaces.

Once all accessible functionality has been enumerated, it is necessary to test

whether per-user segregation of access to resources is being correctly enforced.

In every instance where the application grants users access to a subset of a

wider range of resources of the same type (such as documents, orders, emails,

and personal details), there may be opportunities for one user to gain unau-

thorized access to other resources.

HACK STEPS

■

Download 5,76 Mb.

Do'stlaringiz bilan baham:

1 ... 402 403 404 405 406 407 408 409 ... 875