Shulou(Shulou.com)06/03 Report--

1. If you do not log in to the system, directly enter whether the URL of the login page can be accessed.

two。 If you do not log in to the system, directly enter the URL of the download file whether the file can be downloaded; for example, enter: whether http://url/download?name=file can download the file file

3. Can the back button access the previous page after logging out

Can simple passwords be used in 4.ID/ password authentication; for example, the password standard is more than 6 digits, the combination of letters and numbers does not include ID, and the connected letters or numbers cannot exceed n digits.

In 5.ID/ password authentication, the same account logs in at different times on different machines.

In 6.ID/ password authentication, whether the account is locked after entering the wrong password several times in a row.

7. Whether important information (such as password, × ×, credit card number, etc.) is displayed in clear text when entering or querying; whether there is important information when entering the command _ JavaScript:alert (doucument.cookie) in the browser address bar; whether important information can be seen in the html source code

8. Whether you can access pages that you do not have permission to access by manually changing the parameter values in URL. For example, the parameter in the URL corresponding to the ordinary user is luploe, and the parameter in the URL corresponding to the advanced user is luplos. After logging in to the system as an ordinary user, change the parameter e in URL to s to access the page that you do not have permission to access.

Whether the unmodifiable parameters in 9.URL can be modified

10. After uploading a file with the same extension as server-side language (jsp,asp,PHP) or an executable file such as exe, confirm whether it can be run directly on the server side.

11. Can you use'--'or1=1- and so on as the user name when registering a user?

twelve。 Whether the parameters passed to the server (such as query keywords, parameters in URL, etc.) can be handled normally when they contain special characters ('. 'and1=1--.'and1=0--.'.'or 1: 0mi -).

13. When performing a new operation, can you save it after entering the script tag (alert (")) in all the input boxes

14. Is there an autocomplete function when adding or modifying important information (password, × × number, credit card number, etc.) (use autocomplete=0 in the form tag to turn off the autocomplete function)

15. Enter the following address in URL to download http://url/download.jsp?file=c:\windows\system32\drivers\etc\hosts,http://url/download.jsp?file=/etc/password

16. Whether to deal with the validity period of session

17. Whether the error message contains SQL statements, SQL error messages and the absolute path of the web server.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.