Step 4: Inventorying Web Resources

Step 4: Inventorying Web Resources

Once Steps 1, 2, and 3 are completed we are left with a pile of essential information. The last step in the process is to make a complete inventory of the Web resources found on the server. Of the many ways to categorize Web resources, we choose to divide Web resources into the following categories.

         Static content: Basically, all HTML/XML/TXT content that doesn't change with every HTTP request and doesn't depend on any parameter being passed from the browser falls in this category. Such pages are plain resources and are the least vulnerable to any kind of attack because of their passive nature.

         Server-side scripts: This category of pages includes active server pages, CGI scripts, Perl scripts, and the like. Server-side scripts that accept input from the Web browser or from the URL parameters require special attention to determine whether they're vulnerable to input validation attacks, among others.

         Plug-in application engines: Application servers and Web application language interpreters such as ColdFusion, PHP, and Weblogic that plug into a front-end Web server fall in this category. In Chapter 6 we described how such application servers work and can be identified. The same techniques can be utilized to identify Web resources that fall in this category.

         Applets and objects: Any Java applets or other objects embedded in HTML that execute on the browser fall in this category.

         Client-side scripts: This category includes all code that lies between the <SCRIPT> </SCRIPT> tags that executes within the browser.

         Cookies: HTTP cookies received from Web resources fall in this category. Here the Web resources that send cookies back to the Web browser are counted.

         HTML forms: All Web resources containing HTML forms can be placed in this category. The forms can be seen in detail, and HTML forms that are specifically used for processing logins or that contain hidden fields even can be classified.

We can now go back to our gathered data and classify resources and other elements to form a summary table:

Types of Resources

Number of Resources

Static pages

3

Server-side scripts

5

Application server pages

2

Applet and object

1

Client-side scripts

6

Resources-serving cookies

2

Number of cookies

7

Resources containing HTML forms

4

Number of HTML forms

5

Number of hidden fields

10

 



Web Hacking(c) Attacks and Defense
Web Hacking: Attacks and Defense
ISBN: 0201761769
EAN: 2147483647
Year: 2005
Pages: 156

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net