Java Reference
In-Depth Information
without having knowledge about the application. Business logic implementation for authoriza-
tion involves an understanding of various user roles that are present in the application and,
based on the roles, the access that each user role is provided. For instance, in an e-commerce
application, there may be a role of an inventory data entry operator and a supervisor. he data
entry operator should ideally be able to create inventory masters like stock item name, quan-
tity, price, and so on. he supervisor should view the data entered by the data entry operator
and approve the same before it is updated on the e-commerce site. If the data entry operator
is allowed to create and approve the details on the Web application, then this is a law in the
implementation of business logic for authorization. he tester should be able to understand the
various user roles of the application and identify any vulnerabilities in the authorization system
of the Web application.
12.2.2.10 Testing for Cross-Site Request Forgery
A Web application vulnerability leading to a cross-site request forgery (CSRF) attack is a hard
vulnerability to test for. CSRF is an attack where the attacker can force the user to request the
Web application to perform certain actions without the user's knowledge—for instance, if a user
is logged in to a banking application and simultaneously to his/her email and receives a URI that
the unsuspecting user clicks on. he URI happens to be an HTTP request to the banking appli-
cation to transfer funds from the legitimate user's bank account to the attacker's bank account.
his attack is made successful by the fact that the legitimate user is logged in to the application
and the request originates at that time, thereby not apparently circumventing any access control
but launching a phantom request to compromise user accounts by forcibly performing actions
on their behalf. he tester must look for HTTP GET requests that perform actions on the Web
application. GET requests are the easiest to simulate, as they are part of the URL and the URL
can easily be embedded as a hyperlink in an email, a document, or another Web page, where
purely by a click of a button, the GET request is launched to the Web application and the attack
is successful. he attacker can also use images with hyperlinks to launch CSRF attacks against
the Web application.
12.2.3 Testing Data Validation
12.2.3.1 Testing for Cross-Site Scripting Vulnerabilities
Cross-site scripting (XSS) is one of the most pernicious Web application vulnerabilities. XSS,
as previously explored (in Chapters 5 and 10), may have devastating consequences for the Web
application, from session hijacking to the Denial-of-Service attacks of the application. Two sig-
niicant types of XSS attacks are present today:
stored XSS and relected XSS.
It is imperative
that the tester checks the Web application for all these types of XSS vulnerabilities to perform a
comprehensive assessment.
12.2.3.1.1 Stored XSS
Stored XSS is the most dangerous type of XSS attack. Stored XSS occurs when an attacker is
able to inject a malicious script into an application input ield and the input is stored in the
database and is executed every time the page is accessed or otherwise invoked by the application.
Search WWH ::
Custom Search