You bet. If you can get to a URL using your browser, you can put that URL in a link. Note, however, that some browsers support URLs that others don’t. For example, Lynx is really good with mailto URLs (URLs that enable you to send electronic mail to a person’s email address). When you select … Read more
After the essential web browser, the most useful item in your toolkit when attacking a web application is an intercepting proxy. In the early days of web applications, the intercepting proxy was a standalone tool that provided the barest of possible functionality — notably the venerable Achilles proxy, which simply displayed each request and response … Read more
Like password change functionality, mechanisms for recovering from a forgotten password situation often introduce problems that may have been avoided in the main login function, such as username enumeration. In addition to this range of defects, design weaknesses in forgotten password functions frequently make this the weakest link at which to attack the application’s overall … Read more
If an application uses an unencrypted HTTP connection to transmit login credentials, an eavesdropper who is suitably positioned on the network will of course be able to intercept them. Depending on the user’s location, potential eavesdroppers may reside: ■ On the user’s local network ■ Within the user’s IT department ■ Within the user’s ISP … Read more
The enumeration techniques described so far have been implicitly driven by one particular picture of how web application content may be conceptualized and catalogued. This picture is inherited from the pre application days of the World Wide Web, in which web servers functioned as repositories of static information, retrieved using URLs that were effectively filenames. … Read more
This is a more sophisticated and controlled technique, which is usually preferable to automated spidering. Here, the user walks through the application in the normal way using a standard browser, attempting to navigate through all of the application’s functionality. As he does so, the resulting traffic is passed through a tool combining an intercepting proxy … Read more
In a typical application, the majority of the content and functionality can be identified via manual browsing. The basic approach is to walk through the application starting from the main initial page, following every link and navigating through all multistage functions (such as user registration or password resetting). If the application contains a “site map,” … Read more
In order for the server-side application to receive user input and actions, and present the results of these back to the user, it needs to provide a client-side user interface. Because all web applications are accessed via a web browser, these interfaces all share a common core of technologies. However, these have been built upon … Read more
general ; ; Global settings for call queues Persistent Members ; Store each dynamic member in each queue in the astdb so that when asterisk is restarted, each member will be automatically read into their recorded queues. Default is ‘yes’. ; persistentmembers = yes Keep Stats ; Keep queue statistics during a reload. Default is … Read more