The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Download 5,76 Mb.

Pdf ko'rish

bet	709/875
Sana	01.01.2022
Hajmi	5,76 Mb.
	#293004

1 ... 705 706 707 708 709 710 711 712 ... 875

Bog'liq
3794 1008 4334

Chapter 12

C O M M O N M Y T H

“This XSS bug isn’t exploitable. I can’t get my attack to

work as a

GET

request.”

If a reflected XSS flaw can only be exploited using the

POST

method, the

application is still vulnerable to various attack delivery mechanisms, including

ones that employ a malicious third-party web site.

In some situations, converting an attack that uses the

GET

method into one

that uses the

POST

method may enable you to bypass certain filters. Many

applications perform some generic application-wide filtering of requests for

Chapter 12

■

Attacking Other Users

413

70779c12.qxd:WileyRed 9/14/07 3:14 PM Page 413

known attack strings. If an application expects to receive requests using the

GET

method, it may perform this filtering on the URL query string only. By con-

verting a request to use the

POST

method, you may be able to bypass this filter

entirely.

Download 5,76 Mb.

Do'stlaringiz bilan baham:

1 ... 705 706 707 708 709 710 711 712 ... 875