You can right-click on any interesting-looking result and send the

Chapter Summary

When you are attacking a web application, the majority of the necessary tasks

need to be tailored to that application’s behavior and the methods by which it

enables you to interact with and manipulate it. Because of this, you will often

find yourself working manually, submitting individually crafted requests, and

reviewing the application’s responses to these.

The techniques we described in this chapter are conceptually intuitive. They

involve leveraging automation to make these bespoke tasks easier, faster, and

more effective. It is possible to automate virtually any manual procedure that

you wish to carry out — using the power and reliability of your own computer

to attack the defects and weak points of your target.

Although conceptually straightforward, using bespoke automation in an

effective way requires experience, skill, and imagination. There are tools that

will help you, or you can write your own. But there is no substitute for the

intelligent human input that distinguishes a truly accomplished web applica-

tion hacker from a mere amateur. When you have mastered all of the tech-

niques described in the other chapters of this book, you should return to this

topic, and practice the different ways in which bespoke automation can be

used in the application of those techniques.

Questions

Answers can be found at 

www.wiley.com/go/webhacker

.

1. Identify three identifiers of hits when using automation to enumerate

identifiers within an application.

2. For each of the following categories, identify one fuzz string that can

often be used to identify it:

(a) SQL injection

(b) OS command injection

(c) Path traversal

(d) Script file inclusion

3. When you are fuzzing a request that contains a number of different

parameters, why is it important to perform requests targeting 

each parameter in turn and leaving the others unmodified?

Download 5,76 Mb.

Do'stlaringiz bilan baham: