Forgery shenanigans
Once you've seen how legitimate requests of the web application are formatted and populated for legitimate flows, the same methods and tools can be used to craft your own requests, without the need for a client's browser. Hackers may use this method to conduct large-scale operations against a web application, but we as testers can also use this to more completely test possible validation flaws for fields not normally submitted. An example may be in a dynamic form page where a client-side validation may normally hide fields contextually, based on prior selections, check boxes, and so on. Forging requests can allow us to submit incrementing fields or build parameter combinations. These flaws are common in applications that ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access