Shulou(Shulou.com)06/01 Report--

1. Detection metrics: 1.2 password security:

Description: determine whether the password is easy to steal

Operation: you can check whether the encryption is encrypted through the browser and test the encryption as an independent request. In addition, Xiaofeng backstage login does not have the mobile verification code for verification function, our current system added this verification to make the system login more secure.

1.3SQL injection detection

Description: check whether there is a SQL injection vulnerability in the Web website. If this vulnerability exists, the * * user injects the injection point *, and you can easily obtain the backend management permission of the website, or even the administrative permission of the website server.

Operation: download acunetix webvulnerability scanner for scanning and testing.

1.4 upload vulnerability

Description: check whether there is an upload loophole in the upload feature of Web website. If this vulnerability exists, * * users can directly use this loophole to upload * to obtain WebShell.

Operation: check if there is a place to upload at the front desk, and check if you can upload .asp, .exe or even other shell footsteps.

1.5 form Bypass:

Description: how many logical validations or calculations are carried out only on the form page, then the user can submit the data directly to the background by bypassing the page

Operation: developers need to check whether the logical verification of the page has the corresponding operation in the background, and develop good development habits.

1.6 illegal access to URL

Description: directly obtain a URL address in the website and access it on the browser.

Operation: directly copy several URL with parameters into the browser for verification, the system development to consider whether to intercept there are omissions, especially our own development and testing pages.

1.7 sensitive information disclosure

Description: the personal data of the system should be protected, and some systems use id to find the corresponding user information.

Operation: check whether there is a request with id as a parameter in the system, and randomly modify the number of id to make a url request

1.8 XSS cross-site scripting.

Description: detect whether there is a XSS cross-site scripting vulnerability in Web website. If this vulnerability exists, the website may suffer from Cookie fraud, web page hanging and other *.

Operation: check whether all input boxes can enter html tags, especially footsteps

1.9 Cross-site request forgery

Description: cross-site request forgery * * by forcing the target website of the logged-in victim's browser to send a pre-authentication request, and then forcing the victim's browser to perform actions in favor of the victim.

Operation: before each request page request, the random number encryption string is automatically generated, and the background is decrypted for verification. Check to see if all requests comply with this rule.

1.10 Cookie fraud

The ways of Cookie cheating are as follows:

Skip the browser and rewrite the communication data directly

Modify the browser so that the browser can read and write any domain name Cookie locally

Use signature scripts to allow browsers to read and write any domain name Cookie locally

Deceive the browser to get a fake domain name

Operation: add a timestamp and ip to cookie for encryption. You can check the browser's cookie to see whether it is an encrypted string.

1.11 hide directory leaks

Description: if you make an error or click on the link directly, the site displays an error message or directory, which should be replaced by an error page such as 404.

Operation: check whether the system tests the production environment, and check whether apache will display directory problems. In addition, error messages are replaced by error pages such as 404.

two。 External website detection

Verification of 360 website

Http://webscan.360.cn/

3. Tool detection

Http://www.cnblogs.com/lhb25/archive/2012/06/18/8-useful-and-free-web-application-security-testing-tools.html

Some detection tools included in Aliyun system

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.