O'Reilly logo

The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws by Marcus Pinto, Dafydd Stuttard

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Chapter 4. Mapping the Application

The first step in the process of attacking an application is to gather and examine some key information about it, in order to gain a better understanding of what you are up against.

The mapping exercise begins by enumerating the application's content and functionality, in order to understand what the application actually does and how it behaves. Much of this functionality will be easy to identify, but some of it may be hidden away, and require a degree of guesswork and luck in order to discover.

Having assembled a catalogue of the application's functionality, the principal task is to closely examine every aspect of its behavior, its core security mechanisms, and the technologies being employed (on both client and server). This will enable you to identify the key attack surface that the application exposes and hence the most interesting areas on which to target subsequent probing to find exploitable vulnerabilities.

In this chapter, we will describe the practical steps you need to follow during application mapping, various techniques and tricks you can use to maximize its effectiveness, and some tools that can assist you in the process.

Enumerating Content and Functionality

In a typical application, the majority of the content and functionality can be identified via manual browsing. The basic approach is to walk through the application starting from the main initial page, following every link and navigating through all multistage functions (such as user ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required