A simple example of this is when a simple parameter is appended to the end of a URL.
For example, imagine a system that uses a parameter "auth" to signify
if a user has been authenticated, and prompts for the log in procedure
if auth=0, switching it to auth=1 once a successful login has taken
place. As long as auth=1, the user remains authenticated and able to
access restricted pages. Trying to get to a restricted page, a user's browser might submit:http://www.mycorporatewebapp.com/remotemanagement.asp?auth=0 Bypassing this authentication might then be as simple as changing auth=0 to auth=1.
he question that hackers ask is whether there are alternative URLs,
which are not on the "restricted list", which point to the same
restricted pages? or example, imagine a restricted Web page: http://mycorporatedevice/admin/configuration/ What if a hacker were to append an extra "/" at the end of this URL: http://mycorporatedevice/admin/configuration//
or add some other character like "?" or "%" or "~"? In some cases these
URLs are effectively equivalent, even though they look different. If
the authentication mechanism only checks for the original URL but not
the variations then it can easily be bypassed.
.png)
No comments:
Post a Comment