The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

is still returned unmodified, then the application is vulnerable. Double-

Download 5,76 Mb.

Pdf ko'rish

bet	694/875
Sana	01.01.2022
Hajmi	5,76 Mb.
	#293004

1 ... 690 691 692 693 694 695 696 697 ... 875

Bog'liq
3794 1008 4334

is still returned unmodified, then the application is vulnerable. Double-

check that your syntax is correct by using a proof-of-concept script to

display an alert dialog, and confirm that this actually appears in your

browser when the response is rendered.

70779c12.qxd:WileyRed 9/14/07 3:14 PM Page 405

Very often, you will discover that your initial attempted exploits do not

actually get returned unmodified by the server, and so do not succeed in exe-

cuting your JavaScript. If this happens, do not give up! Your next task is to

determine what server-side processing is occurring that is affecting your

input. There are three broad possibilities:

■■

The application has identified an attack signature and has blocked your

input altogether.

■■

The application has accepted your input but has performed some kind

of sanitization or encoding on the attack string.

■■

The application has truncated your attack string to a fixed maximum

length.

We will look at each scenario in turn and discuss various ways in which the

obstacles presented by the application’s processing can be bypassed.

Download 5,76 Mb.

Do'stlaringiz bilan baham:

1 ... 690 691 692 693 694 695 696 697 ... 875