Shulou(Shulou.com)06/01 Report--

   logic loophole is due to lax or complex logic of the program, which is exploited by people who tamper with relevant data to achieve their own purpose, such as bypassing login verification.

Introduction to the principle of simple operation in practice

   (here is only a brief introduction to the principle of this practice) due to logical defects in checking the login account and password, or again using the relevant parameters returned by the server as the final login credentials, the login restrictions can be bypassed. For example, the server returns a flag parameter as a criterion for whether the login is successful, but the final login success of the code is to obtain this flag parameter as the final verification. Those who cause * * can bypass the login limit by modifying the flag parameter!

Truncate packet

Set up display response package

Modify response package

Login succeeded

The second way to modify the response package

This kind of modification of    is suitable for those that need to be modified later, such as modifying cookie to maintain access!

Repair suggestion

   modifies the verification logic, such as whether the login is successful, the server returns a parameter, but this is the final verification, and there is no need to use the returned parameters as the final basis for judging whether the login is successful or not!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.