Testing for client-side resource manipulation
If an application performs actions based on client-side URL information or pathing to a resource (that is, AJAX call, external JavaScript, or iframe
source), the result can lead to a client-side resource manipulation vulnerability. This vulnerability relates to attacker-controlled URLs in, for example, the JavaScript location
attribute, the location header found in an HTTP response, or a POST
body parameter, which controls redirection. The impact of this vulnerability could lead to an XSS attack.
Getting ready
We will use the OWASP Mutillidae II application to determine whether it is possible to manipulate any URL parameters that are exposed on the client side and whether the manipulation of those values causes the application to behave differently.
How to do it...
- Navigate to OWASP 2013 | A10 - Unvalidated Redirects and Forwards | Credits:
Figure 9.35 – Credits page
- Click the...