Step 4:
Inventorying Web Resources
Once Steps 1, 2, and 3 are completed we are
left with a pile of essential information. The last step in the process is to
make a complete inventory of the Web resources found on the server. Of the many
ways to categorize Web resources, we choose to divide Web resources into the
following categories.
Static content
HTTP request and doesn't depend on any parameter being passed from the browser
falls in this category. Such pages are plain resources and are the least
vulnerable to any kind of attack because of their passive nature.
Server-side scripts
Perl scripts, and the like. Server-side scripts that accept input from the Web
browser or from the URL parameters require special attention to determine
whether they're vulnerable to input validation attacks, among others.
Plug-in application
engines: Application servers and Web application
language interpreters such as ColdFusion, PHP, and Weblogic that plug into a
front-end Web server fall in this category. In
described how such application servers work and can be identified. The same
techniques can be utilized to identify Web resources that fall in this
category.
Applets and objects
the browser fall in this category.
Client-side scripts
<SCRIPT> � </SCRIPT> tags that executes within the browser.
Cookies
the Web resources that send cookies back to the Web browser are counted.
HTML forms
category. The forms can be seen in detail, and HTML forms that are specifically
used for processing logins or that contain hidden fields even can be
classified.
We can now go back to our gathered data and
classify resources and other elements to form a summary table:
Types of Resources
Number of Resources
Static pages
3
Server-side scripts
5
Application server pages
2
Applet and object
1
Client-side scripts
6
Resources-serving cookies
2
Number of cookies
7
Resources containing HTML forms
4
Number of HTML forms
5
Number of hidden fields
10
No comments:
Post a Comment