The past experience of hundreds of companies
who have been victimized through web application vulnerabilities teaches us that
predicting the functionality of an application that might be considered worthwhile to
attack.
For the purposes of discussion, let??™s use the poorly written GoatFriend social network
as our example. Suppose the button to close one??™s account leads to a confirmation page,
and that page contains a link like this:
Yes,
I want to close my account.Discard Unnecessary Information, and Fake the Necessary Once an attacker finds the request
that he wants to falsify, he can examine the included parameters to determine which are
truly unnecessary and could cause detection or unpredictable errors when incorrectly
fixed to the same value that was first seen by the attacker putting together the attack
script. Often parameters are included in web application requests that are not strictly
necessary and may be collected only for legacy or marketing analytics purposes.
In our experience, several common parameters can be discarded, such as site entry
pages, user IDs from analytic packages, and tokens used to save state across multiple
forms.
Pages:
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172