Shulou(Shulou.com)06/02 Report--

Background introduction of common Web security vulnerabilities and testing methods

Web application generally refers to the general name of Bamp S architecture that provides services through the HTTP/HTTPS protocol. With the development of the Internet, Web applications have been integrated into all aspects of our daily life. In the current Web applications, most applications are not static web browsing, but involve the dynamic processing of the server. If the developer's security awareness is not strong, it will lead to an endless stream of Web application security problems.

What we generally call Web application * * means that * * users send special requests to Web servers in URL or other input areas (such as forms, etc.) through browsers or other * * tools to find loopholes in Web applications, and then operate and control the website to achieve the purpose of * * users.

Common security vulnerabilities 1. SQL injection

SQL injection (SQL Injection) is the most common vulnerability with a wide range of effects. * users end up deceiving the server into executing malicious SQL commands by inserting the SQL command into the Web form to submit the domain name or enter the query string requested by the page, so that the database executes any undirected query.

The possible hazards caused by SQL injection are: the web page and data have been tampered with, the core data has been stolen, and the server where the database is located has been turned into a puppet host.

For example, some websites do not use precompiled sql, and some fields entered by the user on the interface are added to the sql, most likely containing some malicious sql commands. For example, password = "1'OR'1"; you can log in normally even if you don't know the user's password.

Test method:

On the page that needs to be queried, enter simple sql statements such as the correct query condition and 1 to view the response result. If the result is consistent with entering the correct query condition, it indicates that the application has not filtered the user input, and it can be preliminarily judged that there is a SQL injection vulnerability here.

2. XSS cross-site script *

SS (Cross Site Script), similar to SQL injection, XSS inserts malicious scripts through web pages, and the main technologies used are front-end HTML and JavaScript scripts. When the user browses the web page, it realizes the way to control the behavior of the user's browser.

A successful XSS can obtain the user's cookie, use the cookie to steal the user's operation permission on the site, obtain the user contact list, and use the identity of the victim to send a large amount of spam to a specific target group, and so on.

XSS is divided into three types: memory (persistent XSS), reflective (non-persistent XSS), and Dom.

Test method:

In the data entry interface, enter: alert (/ 123 /). If the dialog box pops up after a successful save, it indicates that there is a XSS vulnerability here.

Or change the parameter in the url request to alert (/ 123 /). If a dialog box pops up on the page, it indicates that there is a XSS vulnerability here.

3. CSRF cross-site forged request *

CSRF (Cross Site Request Forgery), using the logged-in user's identity, sends a malicious request in the name of the user to complete the illegal operation.

For example, if the user browses and trusts the CSRF vulnerability site A, the browser generates the corresponding cookie, and the user visits the dangerous site B without quitting the site.

Dangerous website B requests to visit website An and make a request. The browser visits website A with the user's cookie information, because website A does not know whether the request is made by the user or dangerous website B, so it will process the request from dangerous website B, thus accomplishing the purpose of simulating user operation. This is the basic idea of CSRF***.

Test method:

The same browser opens two pages, one page permission expires, whether the other page can be operated successfully, if the operation is still successful, there is a risk.

two。 Use the tool to send the request, do not add the referer field in the http request header, verify the response of the returned message, and should be relocated to the wrong interface or login interface.

IV. Loopholes in file upload

File upload * means that the user uploads an executable file to the server and executes it.

This method is the most direct and effective. The uploaded files can be viruses, * *, malicious scripts, webshell, and so on.

Webshell is a command execution environment in the form of web files such as asp, php, jsp or cgi, and it can also be said to be a web page backdoor. * after preventing or inserting webshell into the affected system, users can easily access the system through webshell to control the website server.

Test method:

Strictly check the type and size of uploaded files, and prohibit uploading files with malicious code.

To verify the execution permissions of the relevant directories, you can access all directories on the Web server through the browser to check whether the directory structure is returned. If the directory structure is displayed, there may be security problems.

Fifth, URL jump loophole

The URL redirect vulnerability, that is, an unverified redirection vulnerability, means that the Web program jumps directly to the URL in the parameters, or the URL of any developer is introduced into the page to direct the program to an insecure third-party area, resulting in security problems.

Test method:

1. Use the package grab tool to grab the request.

two。 Grab the url of 302, modify the destination address and see if it can jump.

Ps: however, many jumps now add a referer check to cause the jumper to fail.

Summary

These are some common Web security vulnerabilities and testing methods. With more and more attention being paid to network security, Web security testing is becoming more and more important in the testing process. Although there are vulnerability scanning tools such as AppScan, testers also need to have some knowledge of common security vulnerabilities.

Brief introduction of the author: Zhang Bin, 6 years testing experience, proficient in automated testing, performance testing, continuous delivery and overall product quality improvement.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.