Re: Web App Script Capture



A very common (-kill me please-) "error" is
download.php?file=
or
upload.php?file=

What about
download.php?file=download.php
or
download.php?file=download.php%00.pdf
...

;p
/JA

What I want to demonstrate is that once I have path traversal, I can steal just
about anything -- except for script source code. I haven't figured out a
work-around for that problem (stealing source code). Thus, my question.

Jon



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



Relevant Pages

  • Re: True Source Code Analysis for Security
    ... Checkmarx Ltd. ... Since that same code would need to compile in order for the ... in a maze of twisty passages, like source code analysis. ... Information Assurance Certification Review Board ...
    (Pen-Test)
  • Re: Source code auditing
    ... I think OWASP Code Review book is a good starting point for source code ... for complete list of OWASP books: ... Information Assurance Certification Review Board ...
    (Pen-Test)
  • True Source Code Analysis for Security
    ... Source Code Analysis has become the de facto choice to introduce secure ... development as well as gauge inherent software risk. ... This technical paper – with detailed code examples – from Checkmarx research ... Information Assurance Certification Review Board ...
    (Pen-Test)
  • Non-constant constant strings
    ... I have a work-around like this: ... this is clunky because I want to be able to change the items because in the actual application it is source code that I'm coding within the compiler for an automatic processor. ... Rick C. Hodgin ...
    (comp.lang.c)