Chapter 12  ■ Attacking Other Users

■

Attacking Other Users

In each of these cases, an absolute or relative URL may be specified.

HACK STEPS

■

Identify every instance within the application where a redirect occurs.

■

An effective way to achieve this is to walk through the application using

an intercepting proxy, and monitor the requests made for actual pages

(as opposed to other resources like images, style sheets, script files, etc.).

■

If a single navigation action results in more than one request in succes-

The majority of redirects are not user-controllable. For example, in a typical

login mechanism, submitting valid credentials to 

/login.jsp

might return an

HTTP redirect to 

/myhome.jsp

. The target of the redirect is always the same, so

it is not subject to any vulnerabilities involving redirection. 

However, in other cases, data supplied by the user is used in some way to

set the target of the redirect. A common instance of this is where an application

forces users whose sessions have expired to return to the login page and then

redirects them back to the original URL following successful reauthentication.

If you encounter this type of behavior, then the application may be vulnerable

to a redirection attack, and you should investigate further to determine

whether the behavior is exploitable.

■