How to Break Web Software
Ch. 2: Gathering Information on
the Target
3 attacks
1. Panning for gold
1. Guessing files and directories
1. Holes left by other people –
vulnerabilities in sample applications
Attack 1: Panning for gold
•
WHEN: the first attack to apply
•
Goal: gathering as much information as possible
•
4 phases – what to look for:
–
Comments embedded in HTML source code
–
Sensitive information in HTML source code
–
Server-side error messages and HTTP responses
–
Application error messages
Attack 1: Panning for gold
HOW
Step 1: create a site map
-
Using a tool: wget, BlackWidow
OR
-
Preferably: manually – following every link
on a site
Creating a page map
- 1
- 2
- 3
前往页