Articles — scripting

Tasos Laskos

Extracting input traits to help with manual pentests

So, suppose we're preparing a manual penetration test of a web application; wouldn't it be nice to be able to know beforehand the behavior of each individual input? For example, changing an input's value may change the response we get in a certain way, or even not, which is equally valuable information. Let's say that inputs that change the behavior of the web page are called active and those that don't are called blind. Furthermore, it would be of even more interest if the value we input gets included in the HTTP response (or even written on the DOM client-side)...

Read more