Many websites now adopt general anti-InjectionProgramIs my website helpless? The answer is no, because we can use the cookie injection method, and many general anti-injection programs are not prepared for this injection method.
Before talking about it, let's review the knowledge of the request object in ASP scripts. in the previous sections, we have mentioned that the common methods of get and post for obtaining the client-submitted data are as follows, at the same time, the request object can obtain data without using a set, that is, directly using "Request (" name ")", but it is inefficient and error-prone. When we omit a specific set name, ASP searches by querystring, from, Cookie, servervariable, and set order. It integrates cookies in the request object members, meaning that "All cookie values sent by the user system are read, we know from the second lecture about "Cookie spoofing intrusion and principles" That cookies are a text file stored on the client computer and can be modified so that we can use requests. Cookie method to submit the value of the variable, so as to use system vulnerabilities for injection attacks.
:Cookieinjection tool .rar