Sign in with Facebook
The Web Application Hacker's Handbook Quotes
The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws
by
Dafydd Stuttard1,227 ratings, 4.23 average rating, 60 reviews
The Web Application Hacker's Handbook Quotes
Showing 1-7 of 7
“The principal areas of vulnerability arise from defects in how tokens are generated, enabling an attacker to guess the tokens issued to other users, and defects in how tokens are subsequently handled, enabling an attacker to capture other users' tokens.”
― The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws
― The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws
“The SQL statement is passed as a simple string. If user-controllable input is part of the string parameter, the application is probably vulnerable to SQL injection.”
― The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws
― The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws
“If user-controllable data is passed to these APIs, an attacker may be able to exploit these to access arbitrary files on the server filesystem. fopen readfile file fpassthru gzopen gzfile gzpassthru readgzfile copy rename rmdir mkdir unlink file_get_contents file_put_contents parse_ini_file”
― The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws
― The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws
“Each time the user makes a request, the page token is validated against the last value issued, in addition to the normal validation of the main session token. In the case of a non-match, the entire session is terminated. Many of the most security-critical web applications on the Internet, such as online banks, employ per-page tokens to provide increased protection for their session management mechanism,”
― The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws
― The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws
“The good news is you don't have to do any of this manually! The best tool that is currently available for testing the randomness of web application tokens is Burp Sequencer. This tool applies several standard tests in a flexible way and gives you clear results that are easy to interpret.”
― The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws
― The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws
“Guessing that the string may actually be a hex encoding of a string of ASCII characters, you can run it through a decoder to reveal the following: user = daf; app = admin; date = 10/ 09/ 11 Attackers can exploit the meaning within this session token to attempt to guess the current sessions of other application users.”
― The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws
― The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws
“For example, an application may attempt to defend against some cross-site scripting attacks by stripping the expression: < script > from any user-supplied data. However, an attacker may be able to bypass the filter by supplying the following input: < scr < script > ipt >”
― The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws
― The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws
