一:discover clues in the html
developers are notorious for leaving statements like fixme's, todo's, code broken, hack, etc... inside the source code. review the source code for any comments denoting passwords, backdoors, or something doesn't work right. below is an example of a forms based authentication form. look for clues to help you log in.
一些程序员在编程时会因各种原因在源码中留下诸如fixme's, todo's, code broken, hack等注释,这些注释信息可能会在某些情况下暴漏在用户眼前。如web应用,查看页面source就有可能从中发现敏感信息,从而达到认证绕过,造成信息泄露!
攻击时可以查看在源文件中搜索注释信息中的passwords, backdoors或者something doesn't work right这些字样,还可以搜索hidden,fixme's, todo's,或者注释符号,也可以查看其中的urls
源代码中就含有登录名及密码。。。。。
阅读(912) | 评论(0) | 转发(0) |