onlinepass
Apr 15 2004, 10:41 AM
| QUOTE |
<%
String sessionString = "";
session.setMaxInactiveInterval(500);
if (!session.isNew())
{
if (session.getAttribute("someattribute")==null)
{
response.sendRedirect("../default.html");
}
else
{
sessionString = session.getAttribute("someattribute").toString();
if (!sessionString.equals("ax98asdf8234"))
{
response.sendRedirect("../default.html");
}
}
}
if (session.isNew())
{
response.sendRedirect("../default.html");
}
%>
<%
String appth = request.getContextPath();
String userString = request.getParameter("Usrtring");
if (userString.equals("validated"))
{
%> |
I have tried to bypass this JSP validation using some tricks by using a proxy in between and changing the attributes and other stuff, but still i dont seem to be hitting it right.
Can any one of you identify how we can bypass thiss???
tweakz20
Apr 15 2004, 10:45 AM
is it just me or is this a how to hack?
onlinepass
Apr 15 2004, 11:23 AM
Wot does it seem to you... if i were hacking in to it.... and the server would give me the JSP source...
tweakz20 First try to understand that JSP source is not spitted out as simmilar to HTML code.
you need to have the source code.
And also I think this is much better than asking for "SQL Injection Strings"
phase
Apr 15 2004, 06:09 PM
I am not really seeing what you are trying your doing. Give me some more info.
This code seems to just look at the session. There is bound to be more code involved.
phase
tweakz20
Apr 15 2004, 10:55 PM
| QUOTE (onlinepass @ Apr 15 2004, 11:23 AM) |
tweakz20 First try to understand that JSP source is not spitted out as simmilar to HTML code.
you need to have the source code. |
ahhh, sorry, i didn't really look at it.. just saw javascript and a "how to bypass" question
btw: i agree with phase
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please
click here.
