记录在做 burp lab 时学会的知识点。

# Excessive trust in client-side controls

# Failing to handle unconventional input

1.Are there any limits that are imposed on the data?
2.What happens when you reach those limits?
3.Is any transformation or normalization being performed on your input?
4. 注意边界值和特殊值
5. 有后端前端不会检测用户输入的长度，后端也只是做了简单的截断处理，可以摸清后端的阶段规律，自定义一个适当长度的字符串，让它被阶段后成为我们的目标字符串

# Making flawed assumptions about user behavior

When probing for logic flaws, you should try removing each parameter in turn and observing what effect this has on the response. You should make sure to:

a. Only remove one parameter at a time to ensure all relevant code paths are reached.
b. Try deleting the name of the parameter as well as the value. The server will typically handle both cases differently.
c. Follow multi-stage processes through to completion. Sometimes tampering with a parameter in one step will have an effect on another step further along in the workflow.

# Domain-specific flaws

1。利用优惠码的刷新漏洞重复使用同一个优惠码