Identifying Insecure Design Patterns
As we'll demonstrate throughout this chapter, the methodology of attacking predictable resources is basic. Select a portion of the Uniform Resource Identifier (URI), change its value, and observe the results. This is as simple as guessing whether directories exist (for example, /admin/ or /install/), looking for common file suffixes (for example, index.cgi.bak or login.aspx.old), cycling through numeric URI parameters (for example, userid=1, userid=2, userid=3, …), or replacing expected values (for example, page=index.html becomes page=login.cgi). Because the concept of predictability attacks is so simple and the methodology is uncomplicated, the attacks lend themselves very well to automation. Launch a ...
Get Seven Deadliest Web Application Attacks now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
