The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Download 5,76 Mb.

1 ... 749 750 751 752 753 754 755 756 ... 875

Bog'liq
3794 1008 4334

Preventing Frame Injection

There are two available mitigations to frame injection vulnerabilities:

■■

If there is no requirement for the application’s different frames to inter-

communicate, remove frame names altogether and make them anony-

mous. However, because intercommunication is normally required, this

option is usually not feasible.

■■

Use named frames but make them unique to each session and unpre-

dictable. One possible option is to append the user’s session token to

each base frame name such as

main_display

.

Request Forgery

This category of attack (also known as session riding) is closely related to ses-

sion hijacking attacks, in which an attacker captures a user’s session token and

so is able to use the application “as” that user. With request forgery, however,

the attacker need never actually know the victim’s session token. Rather, the

attacker exploits the normal behavior of web browsers in order to hijack a

Download 5,76 Mb.

Do'stlaringiz bilan baham:

1 ... 749 750 751 752 753 754 755 756 ... 875