Shulou(Shulou.com)05/31 Report--

Today, the editor will share with you the relevant knowledge points about how to conduct Web penetration testing. The content is detailed and the logic is clear. I believe most people still know too much about this knowledge, so share this article for your reference. I hope you can get something after reading this article. Let's take a look at it.

Penetration testing is that penetration testing engineers fully simulate the attack technology and vulnerability discovery technology that may be used by hackers, make an in-depth detection of the security of the target network, host and application, and find the most fragile link of the system.

If security testing is "horizontal carpet automatic scanning", then penetration testing is "vertical deep artificial intrusion".

It can be seen that the purpose of penetration testing is to find the potential business vulnerability risk of the target system.

Security problems are reflected in the input and output problems, so there are traces to be able to analyze the data flow. First know the process of penetration testing, use tools to find vulnerabilities, understand and reproduce it.

How to conduct Web penetration testing?

Complete web penetration testing framework

When thousands of web applications need to be tested, it is necessary to establish a complete security testing framework. The highest goal of the process is to ensure the quality of security testing services delivered to customers.

Project establishment: project establishment, timing, manpower allocation, goal setting, vendor interface determination

System analysis & threat analysis: for specific web applications, analyze the system architecture, components used, external interfaces, etc., take STRIDE as the threat model to analyze the corresponding security threats, output security threat analysis tables, focusing on top3 threats.

Develop test cases: make the corresponding test cases according to the results of threat analysis, and the test cases are output according to the template, which is enforceable.

Test execution & vulnerability mining: test case execution & divergent testing, mining corresponding security problem or vulnerabilities

Problem repair & regression testing: instruct customer application developers to fix security problem or vulnerabilities and conduct regression testing to ensure that security problem or vulnerabilities are fixed and no new security issues are introduced

Project summary review: project process summary, output document review, related document filing.

2. Penetration testing process of Web application

It is mainly divided into three stages, namely: information collection, → vulnerability discovery and → vulnerability exploitation. The following is a detailed analysis of the process of each stage:

I. Information collection

In the information gathering phase, we need to collect as much information as possible about the target web application, such as the type of scripting language, the type of server, the structure of the directory, the open source software used, the type of database, all linked pages, the framework used, etc.

Types of scripting languages: common scripting languages include: php, asp, aspx, jsp, etc.

Test method:

1 crawl all the links to the website and view the suffix

2 directly visit a non-existent page followed by a different suffix test

3 View robots.txt, check suffix

Type of server: common web servers include: apache, tomcat, IIS, ngnix, etc.

Test method:

1 check the header to determine the server type

2 judge according to the error message

3 judge according to the default page

Directory structure: if you know more directories, you may find more weaknesses, such as directory browsing, code leaks, etc.

Testing method

1 enumerate directories using dictionaries

2 use crawlers to crawl the entire site, or use search engines such as google to get

3 check to see if robots.txt is leaking

Open source software used: if we know the open source software used by the target, we can find vulnerabilities in the relevant software and test the website directly.

Testing method

Fingerprint recognition (there are many open source fingerprint recognition tools on the Internet)

Database type: there are different testing methods for different databases.

Testing method

1 causes the application to report an error and view the error message

2 scan the database port of the server (valid when no NAT is done and no firewall filtering)

All linked pages: this is similar to the previous get directory structure, but this is not only to get all the functional pages of the site, sometimes you can also get the source code backed up by the administrator.

Testing method

1 enumerate pages using a dictionary

2 use crawlers to crawl the entire site, or use search engines such as google to get

3 check to see if robots.txt is leaking

Framework used: many websites use open source frameworks to develop websites quickly, so it is also critical to collect framework information about websites.

Testing method

Fingerprint recognition (there are many open source fingerprint recognition tools on the Internet)

Second, loophole discovery

At this stage, we should prescribe the right medicine when doing testing, and we should not scan it blindly. We should first determine whether the target application uses open source software, open source framework, etc., and then do an in-depth vulnerability scan.

Discovery of vulnerabilities in open source software

Open source software: common open source software include wordpress, phpbb, dedecms, etc.

Open source frameworks: common open source frameworks include Struts2, Spring MVC, ThinkPHP, etc.

Middleware servers: common middleware servers include jboss, tomcat, Weblogic, etc.

Database services: common database services such as mssql, mysql, oracle, redis, sybase, MongoDB, DB2, etc.

Testing methods for open source software

1 judge the version information of the open source software through the fingerprint identification software, and find the corresponding version of the vulnerability in the open vulnerability database according to the different version information for testing

2 simple brute force cracking, default password attempts and other operations can be performed on the default background login page, database service port authentication, etc.

3 use open source vulnerability discovery tools to scan for vulnerabilities, such as WPScan

On the application of self-development

Manual testing: at this stage, we need to manually test all the functions that interact with the user, such as message, login, order, exit, return, payment, etc.

Software scanning: scan using free software, such as appscan, wvs, netsparker,burp, etc.

Possible loopholes

Owasp key points

Code security uploads files

The code security file contains

SSRF of Code Security

Password reset of logic loophole

Payment loophole of logic loophole

Ultra vires access to logical loopholes

Platform security middleware security

III. Vulnerability exploitation

There are different ways to exploit vulnerabilities according to different weaknesses, and more knowledge points are needed. Generally speaking, this stage includes two ways, one is manual testing, the other is tool testing.

Manual testing

Manual testing is a vulnerability detection technique that accesses the target service through the client or server, manually sends special data to the target program, including valid and invalid inputs, observes the status of the target and reacts to various inputs, and discovers the problem according to the results. Manual testing does not need additional auxiliary tools, but can be completed by the tester independently, which is relatively simple to implement. However, this method is highly dependent on the tester and requires the tester to know more about the target. Manual testing can be used in Web applications, browsers, and other programs that require user interaction.

This method can be used when there are special operations such as filtering, or when there are no formed tools on the network.

Tool testing

There are many useful free tools on the network, such as sqlmap for sql injection, matesploit for software vulnerabilities and so on.

These are all the contents of the article "how to conduct Web Penetration Test". Thank you for reading! I believe you will gain a lot after reading this article. The editor will update different knowledge for you every day. If you want to learn more knowledge, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.