The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

cookies have no effect on any of the various other attack

Download 5,76 Mb.

Pdf ko'rish

bet	724/875
Sana	01.01.2022
Hajmi	5,76 Mb.
	#293004

1 ... 720 721 722 723 724 725 726 727 ... 875

Bog'liq
3794 1008 4334

cookies have no effect on any of the various other attack

payloads that XSS flaws can be used to deliver. For example, the attack of

inducing compromised users to perform an arbitrary action, as employed in the

MySpace worm, is unaffected. Not all browsers support

HttpOnly

cookies,

meaning that they cannot always be relied upon to be effective. Further, as

described next, in some circumstances session hijacking is still possible even

when

HttpOnly

cookies are used.

Cross-site tracing (or XST) is an attack technique that in some circumstances

can bypass the protection offered by

HttpOnly

cookies, and enable client-side

JavaScript to gain access to the values of cookies flagged as

HttpOnly

The technique uses the HTTP

TRACE

method, which is designed for diagnos-

tic purposes and is enabled on many web servers by default. When a server

receives a request using the

TRACE

method, the defined behavior is for it to

Download 5,76 Mb.

Do'stlaringiz bilan baham:

1 ... 720 721 722 723 724 725 726 727 ... 875