Shulou(Shulou.com)06/01 Report--

This article mainly introduces "what are the basic knowledge of WEB security penetration testing". In daily operation, I believe that many people have doubts about the basic knowledge of WEB security penetration testing. The editor consulted all kinds of materials and sorted out simple and easy-to-use operation methods. I hope it will be helpful for you to answer the doubts about "what are the basic knowledge of WEB security penetration testing?" Next, please follow the editor to study!

Evolution of Web technology

1.1.1. Static page

At the beginning of the Internet, the main content of the Web website was static, composed of text and pictures, and was mainly produced and expressed in the form of tables. At that time, the user behavior was also very simple, just browsing the web.

1.1.2. Multimedia stage

With the continuous development of technology, audio, video, Flash and other multimedia technologies were born. With the addition of multimedia, the web page becomes more vivid, and the interaction on the web page also brings a better experience to users.

1.1.3. CGI stage

Gradually, multimedia can no longer meet people's requirements, so CGI (Common Gateway Interface) arises at the historic moment. CGI defines the communication interface standard between the Web server and external applications, so the Web server can execute external programs through CGI, allowing external programs to generate dynamic content based on Web requests.

At this time, various programming languages such as PHP/ASP/JSP are also gradually entering the market, based on which more modular and powerful applications can be implemented.

1.1.4. Ajax

In the beginning, the user can not get the results until the entire form is submitted, and the user experience is very poor. So Ajax (Asynchronous Javascript And XML) technology is becoming more and more popular, which enables applications to obtain or update data without updating the entire page. This allows Web applications to respond more quickly to user actions and avoids sending messages that have not changed over the network.

1.1.5. MVC

With the development of Web applications becoming more and more standardized, ideas such as MVC have emerged. MVC is the abbreviation of Model/View/Control, Model is used to encapsulate data and data processing methods, view View is the HTML presentation of data, and controller Controller is responsible for responding to requests and coordinating Model and View.

The separation of Model,View and Controller is a typical idea of separation of concerns, which makes the code reusability and organization better, and the configuration and flexibility of Web applications getting better and better. Data access is gradually replacing direct SQL access by object-oriented approach, and the concept of ORM (Object Relation Mapping) has emerged.

In addition to MVC, similar design ideas include MVP,MVVM and so on.

1.1.6. RESTful

In the CGI era, there is usually no strict distinction between the front and back end, and as the demand for decoupling and increasing, the concept of the front and back end becomes clear. The front end mainly refers to the front-end part of the website, which runs on browsers such as PC, mobile and other browsers for users to browse, which is composed of HTML5, CSS3 and JavaScript. The back end mainly refers to the logical part of the website, involving the addition, deletion, modification and query of data, and so on.

At this time, REST (Representation State Transformation) has gradually become a popular Web architecture style.

REST encourages the organization of system functions based on URL, making full use of the semantics of HTTP itself, rather than just using HTTP as a remote data transfer protocol. General RESTful has the following characteristics:

The ● domain name is separated from the primary domain name

Api.example.com

Example.com/api/

● with version control

Api.example.com/v1

Api.example.com/v2

● uses URL to locate resources

GET / users get all users

GET / team/:team/users gets all the users of a team

POST / users create user

PATCH/PUT / users modifies some user data

DELETE / users deletes a user data

● uses the verb HTTP to describe the operation.

GET acquires resources, single or multiple

POST create Resources

PUT/PATCH updates resources, and the complete resource data provided by the client is DELETE deleted resources.

Correct use of status codes

Using status codes to improve the readability of returned data

● uses JSON as the data response format by default

● has clear documentation.

1.1.7. Cloud servic

With the development of time, the architecture of Web becomes more and more complex, and the technologies such as load balancing, database table, remote disaster recovery, cache, CDN and message queue are applied, which increases the complexity of Web development and operation and maintenance. At the same time, cloud services began to develop gradually, the deployment environment is containerized, and each function is split into micro-services or Serverless architecture.

1.2

Computer network

1.2.1. The composition of computer communication network

The computer network consists of communication subnets and resource subnets.

The communication subnet is responsible for error-free and orderly transmission of data, and its processing functions include error control, flow control, routing, network interconnection and so on.

Among them, resource subnet is the local system environment of computer communication, including hosts, terminals and applications, etc. The main functions of resource subnet are user resource configuration, data processing and management, software and hardware sharing and load balancing.

The computer communication network is a system carried by the communication subnet, which transmits and shares all kinds of information of the resource subnet.

1.2.2. Communication protocol

In order to complete the orderly information exchange between computers, the concept of communication protocol is proposed, which is defined as a set of rules that must be obeyed by both parties (or parties) who communicate with each other on how to exchange information.

The agreement involves three elements, namely:

Syntax: syntax is the structure and format of user data and control information, as well as the meaning of the order in which the data appears.

Semantics: used to explain the meaning of each part of a bitstream.

Timing: a detailed description of the order in which events are implemented.

1.2.3. OSI seven-layer model

1.2.3.1. Brief introduction

OSI (Open System Interconnection) is divided into seven layers: physical layer, data link layer, network layer, transport layer, session layer, presentation layer and application layer.

1.2.3.2. Physical layer

Provides the mechanical, electrical functions and procedures required to establish, maintain, and release physical links.

The physical transmission, fault monitoring and physical layer management of the data stream (bit stream) are carried out through the transmission medium.

The frame is received from the data link layer and the bit stream is converted into a signal on the underlying physical medium.

1.2.3.3. Data link layer

Data is transferred between the two ends of the physical link.

Provide data transmission function and control between network layer entities.

Provide flow control of data.

Detect and correct errors caused by physical links.

A formatted message is called a frame.

1.2.3.4. Network layer

Responsible for the routing or exchange of end-to-end data and establishing connections for transparent transmission of data.

Address and resolve all problems related to the transfer of data between heterogeneous networks.

Use the functions of the upper transport layer and the lower data link layer.

Formatted messages are called grouping.

1.2.3.5. Transport layer

Provide error-free data transmission.

Receive data from the session layer and, if necessary, divide the data into smaller packets, transmit the packets to the network layer and ensure that the packets arrive at their destination completely and correctly.

Provide reliable and transparent data transmission between systems, end-to-end error recovery and flow control.

1.2.3.6. Session layer

It provides the coordination of the communication process between nodes.

Responsible for enforcing session rules (such as whether connections allow half-duplex or full-duplex communication), synchronizing data flows, and re-establishing connections in the event of a failure.

Use the functions of the presentation layer above and the transport layer below.

1.2.3.7. Presentation layer

Provides data formats, transformations, and transcoding.

Involves the syntax and semantics of the data being transferred.

Encode the message in an appropriate format for electronic transmission.

Perform data compression and encryption at this layer.

Messages are received from the application layer, converted, and transmitted to the session layer, which is often merged in the application layer.

1.2.3.8. Application layer

It includes various protocols that define specific support-oriented applications, such as e-mail, file transfer, and so on.

1.2.3.9. Summary

The lower three-layer model belongs to the communication subnet, which involves providing transparent connections between users. The operation is mainly based on each link (hop-by-hop) and communicates on each data link between nodes. The communication on each link is controlled by the network layer, but it depends on the coordinated operation of other nodes.

The higher layer 3 belongs to the resource subnet, which mainly involves ensuring that the information is transmitted in a correct and understandable form.

The transport layer is the interface between the higher layer and the lower layer. It is the first end-to-end layer, which ensures a transparent end-to-end connection, meets the QoS requirements of users, and provides appropriate forms of information to the higher layer.

At this point, the study of "what are the basics of WEB security penetration testing" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.