O'Reilly logo

Web Security Testing Cookbook by Ben Walther, Paco Hope

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Chapter 12. Multifaceted Tests

This chapter contributed by Amit Sethi

There are two ways of constructing a software design: one way is to make it so simple that there are obviously no deficiencies, and the other way is to make it so complicated that there are no obvious deficiencies. The first method is far more difficult.

C.A.R. Hoare

By now we have shown you many different techniques for testing web applications and their logic. The tests have ranged in difficulty, but we have tried to keep each one focused on a specific part of the web application. We may have targeted input handling, session management, or data encoding, but each test tried to isolate one behavior. In this chapter, we try to put more than one technique together to simulate sophisticated attacks. We still try to be specific and pinpoint faulty logic in the application, but we’re using several techniques at the same time. The recipes in this chapter borrow heavily from prior chapters and assume that you’ve understood and executed the prerequisite recipes before you try these.

12.1. Stealing Cookies Using XSS

Problem

Several recipes in this book discuss how to search for XSS issues. However, XSS may seem like a mysterious attack when given the standard detection mechanism of inserting an alert box into a web page. When you find XSS in an application, you may be called upon to demonstrate why it is really a problem. After all, simply showing that you can type <script>alert("XSS!")</script> into a search box and have ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required