Introduction

Previous page
Table of content
Next page

Introduction

What you see on your browser isn't necessarily what you get. Whenever you view a Web page through a browser, you see only the browser's interpretation and rendering of the content delivered to it. What stays hidden from view is a vast amount of information. To uncover these hidden treasures is to move beyond browsing and enter into a genuine understanding of the nearly infinite variations of Web technologies.

From a typical Web page on the Internet, you can find information such as comments embedded in the HTML code, source code of client-side scripts, keywords for referencing pages, hidden parameters passed in forms, e-mail addresses, hyperlinks to other pages and sites, and much more. Why is the amount of information important to security? Because the more information a hacker knows about a Web site, the easier it is to attack.

In this chapter we talk about the types of information revealed in the HTML source code and techniques commonly used to extract that information. Looking through HTML source code to find clues is a painstaking task. The clues given out are few, but many times they end up being the last few missing pieces of the jigsaw puzzle needed for a successful Web attack. We have dubbed this technique source sifting. What follows is a discussion of how to look for the few grains of wheat within all the chaff.

Concepts covered in this chapter are:

         Information leakage through HTML

         Browsers and viewing HTML source

         Clues to look for

         Automated source sifting techniques

A lot of people tend to confuse source sifting with source code disclosure. Source code disclosure attacks are techniques whereby the Web server is tricked into sending the source code of a script or an application without its being parsed or executed. For example, if a source code disclosure attack is performed on an ASP file, the attacker gets to see ASP code in the raw that is, as it was coded in the original script. Source sifting is not that. In the case of scripts or applications in which the HTML output is generated dynamically, choosing View Source from the browser won't reveal the source code of the application or the script. Rather it will only let you see the HTML content generated by the script, not the actual code of the script.

 


Previous page
Table of content
Next page
Web Hacking(c) Attacks and Defense
Web Hacking: Attacks and Defense
ISBN: 0201761769
EAN: 2147483647
Year: 2005
Pages: 156
Authors: Stuart McClure, Saumil Shah, Shreeraj Shah
BUY ON AMAZON
Introducing Microsoft Office InfoPath 2003 (Bpg-Other)
Java for RPG Programmers, 2nd Edition
Developing Tablet PC Applications (Charles River Media Programming)
What is Lean Six Sigma
The Oracle Hackers Handbook: Hacking and Defending Oracle
FileMaker 8 Functions and Scripts Desk Reference
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy