The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Response Length

It is common for dynamic application pages to construct responses using a

page template (which has a fixed length), and insert per-response content into

this template. If the per-response content does not exist or is invalid (e.g., an

incorrect document ID was requested), the application might simply return an

empty template. In this situation, the response length is a reliable indicator of

whether a valid document ID has been identified.

In other situations, different response lengths may point towards the occur-

rence of an error or the existence of additional functionality. In the authors’

experience, the HTTP status code and response length indicators have been

found to provide a highly reliable means of identifying anomalous responses

in the majority of cases.

Response Body

It is very common for the data actually returned by the application to contain

literal strings or patterns that can be used to detect hits. For example, when an

invalid document ID is requested, the response might contain the string

Invalid document ID

. In some cases, where the HTTP response code does not

vary, and the overall response length is changeable due to the inclusion of

dynamic content, searching responses for a specific string or pattern may be

the most reliable means of identifying hits.

Location Header

In some cases, the application will respond to every request for a particular

URL with an HTTP redirect (a 302 status code), where the target of the redirec-

tion depends upon the parameters submitted in the request. For example, a

request to view a report might result in a redirect to 

/download.jsp

if the sup-

plied report name is correct, or to 

/error.jsp

if it is incorrect. The target of an

HTTP redirect is specified in the 

Location

header, and can often be used as a

way of identifying hits.

Download 5,76 Mb.

Do'stlaringiz bilan baham: