In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-06 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)05/31 Report--
This article mainly introduces the relevant knowledge of "what are the knowledge points of Web security testing". The editor shows you the operation process through actual cases, and the operation method is simple, fast and practical. I hope this article "what are the knowledge points of Web security testing" can help you solve the problem.
What is a security test?
The purpose of security testing is to provide evidence that the application can fully meet its needs in the face of hostility and malicious input.
a. How to provide evidence? We prove that the web application does not meet the security requirements through a set of failed security test case execution results.
b. How do you view the requirements of security testing? Security testing is more dependent on requirements than functional testing because it has more possible inputs and outputs to filter.
Real software security actually refers to risk management, that is, we can ensure that the security of the software meets the needs of the business.
How to conduct security testing?
Adding security test cases based on common attacks and vulnerabilities combined with reality is how to turn security testing into a simple and common part of daily functional testing.
Select special boundary values with security significance, and special equivalence classes with security significance, and integrate these into our test planning and testing strategy process.
However, if security testing is carried out on the basis of functional testing, a large number of test cases need to be added. This means that two things must be done to make it easy to manage: reduce the focus and test automation.
Which test points are usually considered in Web security testing?
1. Problem: input that is not validated
Test method:
Data types (strings, integers, real numbers, etc.)
Allowed character set
Minimum and maximum length
Whether to allow empty input
Whether the parameter is required
Whether repetition is allowed
Numerical range
Specific value (enumerated)
Specific patterns (regular expressions)
2. Problem: problematic access control
Test method:
It is mainly used for the page that needs to verify the user's identity and permissions. Copy the url address of the page. After closing the page, check whether you can directly enter the copied address.
For example, you can see the URL address from one page link to another. If you enter the address directly, you can see the page information for which you do not have permission.
3. Incorrect authentication and session management
For example, the input boxes of Grid, Label and Tree view are not verified, and the input will be parsed according to html syntax.
4. Buffer overflow
Critical data is not encrypted
Example: view-source:http address can view the source code, enter the password on the page, the page shows *, right, look at the source file, you can see the password you just entered
5. Denial of service
Analysis: an attacker can generate enough traffic from one host to exhaust many applications and eventually paralyze the program, which needs to be dealt with by load balancing.
6. Unsafe configuration management
Analysis: link strings in Config as well as user information, mail, and data storage information need to be protected.
What programmers should do: configure all security mechanisms, turn off all unused services, set role permission accounts, use logs and alerts
Analysis: users use buffer overflows to break the stack of web applications, and by sending specially written code to web programs, attackers can let web applications execute arbitrary code
7. Injection loophole
Example: a page that verifies the login of the user
If the sql statement used is:
Select * from table A where username='' + username+'' and pass word... ..
Sql type'or 1'--you can attack without entering any password
8. Inappropriate exception handling
Analysis: the program gives more detailed internal error information when throwing an exception, exposing execution details that should not be displayed, and there are potential vulnerabilities in the website.
9. Unsafe storage
Analysis: account list, the system should not allow users to browse to all accounts on the site, if a user list is necessary, it is recommended to use some form of pseudonym (screen name) to point to the actual account.
Browser cache: authentication and session data should not be sent as part of GET, POST should be used
10. Question: cross-site scripting (XSS)
Analysis: an attacker uses cross-site scripts to send malicious code to undiscovered users and steal arbitrary data on his machine
Test method:
HTML tag: …
Escape character: & (&); (space)
Scripting language:
... Alert ('')
Special character:''
< >/
Minimum and maximum length
Whether to allow empty input
This is the end of the content about "what are the knowledge points of Web security testing". Thank you for your reading. If you want to know more about the industry, you can follow the industry information channel. The editor will update different knowledge points for you every day.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.