The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

receives and processes input that you can control.  Any such channels

Download 5,76 Mb. Pdf ko'rish bet 716/875 Sana 01.01.2022 Hajmi 5,76 Mb. #293004

Bu sahifa navigatsiya:

• If the application allows files to be uploaded and downloaded, always

receives and processes input that you can control.  Any such channels are suitable attack vectors for introducing stored XSS attacks. Review the output of your application mapping exercises (see Chapter 4) to identify every possible area of attack surface. ■ If the application allows files to be uploaded and downloaded, always probe this functionality for stored XSS attacks. If the application allows HTML or text files, and does not validate or sanitize their contents, then it is almost certainly vulnerable. If it allows JPEG files and does not vali- date that they contain valid images, then it is probably vulnerable to attacks against Internet Explorer users. Test the application’s handling of each file type that it supports, and confirm how browsers handle responses containing HTML instead of the normal content type. ■ Download 5,76 Mb. Do'stlaringiz bilan baham: