The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Where the application uses identifiers of any kind (document IDs

Download 5,76 Mb.

Pdf ko'rish

bet	407/875
Sana	01.01.2022
Hajmi	5,76 Mb.
	#293004

1 ... 403 404 405 406 407 408 409 410 ... 875

Bog'liq
3794 1008 4334

Where the application uses identifiers of any kind (document IDs,

account numbers, order references, etc.) to specify which resource a user

is requesting, attempt to discover the identifiers for resources to which

you do not have authorized access.

■

If it is possible to generate a series of such identifiers in quick succession

(for example, by creating multiple new documents or orders), use the same

techniques as were described in Chapter 8 for session tokens, to try to dis-

cover any predictable sequences in the identifiers the application produces.

■

If it is not possible to generate any new identifiers, then you are

restricted to analyzing the identifiers that you have already discovered,

or even using plain guesswork. If the identifier has the form of a GUID, it

Download 5,76 Mb.

Do'stlaringiz bilan baham:

1 ... 403 404 405 406 407 408 409 410 ... 875