6.5 |
Impersonation Functionality........................................................................................ 118 |
|
6.6 |
Other issues......................................................................................................................... 119 |
|
6.7 |
Authorization...................................................................................................................... 119 |
|
6.8 |
Attack Execution-data stores....................................................................................... 121 |
|
6.9 |
SQL injection....................................................................................................................... 122 |
|
6.9.1 |
Attack Select statement...................................................................................... 123 |
|
6.9.2 |
Attack insert............................................................................................................. 123 |
|
6.9.3 |
Attack update statement.................................................................................... 123 |
|
6.9.4 |
Attacking Delete statement............................................................................... 124 |
|
6.9.5 |
Attacking Using UNION....................................................................................... 124 |
|
6.10 |
NO SQL injection............................................................................................................... 125 |
|
6.11 |
XPath injection................................................................................................................... 126 |
|
6.12 |
LDAP injection.................................................................................................................... 127 |
|
6.13 |
Attack Execution-Business Logic................................................................................ 128 |
|
6.14 |
Web application Cross Site Scripting( XSS)............................................................. 130 |
|
6.15 |
Echo or reflection based XSS........................................................................................ 131 |
|
6.16 |
Stored script attack.......................................................................................................... 132 |
|
6.17 |
Data Object Model Based XSS...................................................................................... 134 |
|
6.18 |
QUIZ:...................................................................................................................................... 136 |
|
Chapter 7 |
Attack execution( 3)............................................................................................. 138 |
|
7.1 |
Attack webserver operating system.......................................................................... 139 |
|
7.2 |
Attack File system............................................................................................................. 141 |
|
7.3 |
Inclusion method.............................................................................................................. 141 |
|
7.4 |
Path traversal method.................................................................................................... 143 |
|
7.5 |
Attack Mail service........................................................................................................... 144 |
|
7.6 |
Header Juggling................................................................................................................. 144 |
|
7.7 |
SMTP command injection.............................................................................................. 146 |
|
7.8 |
Attack XML........................................................................................................................... 148 |
|
7.9 |
Attack SOAP Services....................................................................................................... 149 |
|
7.10 |
Attack Checklist................................................................................................................. 150 |
|
7.11 |
Evade Logging..................................................................................................................... 152 |
|
7.11.1 |
Web Server Logs..................................................................................................... 153 |
|
7.11.2 |
Escape logging:........................................................................................................ 153 |
|
7.11.3 |
Clearing logs:............................................................................................................ 154 |
|