Shulou(Shulou.com)06/02 Report--

With the rapid development of the Internet, web applications play a more and more important role in software development. at the same time, web applications suffer a lot of security. the reason is that the current website and the applications running on the website, in a sense, it is the virtual front door of all companies or organizations, so it is easy to suffer, there are security risks.

Today, I will mainly share with you some knowledge points and precautions about security testing.

1. Verification points of safety testing

The security verification points of a system include upload function, registration function / login function, CAPTCHA function, password, disclosure of sensitive information, ultra vires testing, error message, session and so on.

1. Upload function

Upload is interrupted. Whether the program has judged whether the upload is successful or not.

After uploading a file with the same extension as server-side language (jsp/asp/php) or an executable file such as exe, confirm whether it can be run directly on the server side.

2. Registration function / login function

Whether the request is transmitted securely

Repeat registration / login

Whether the key cookie is httponly

Session fixation: use the invariant mechanism of session to obtain the authentication and authorization of others, and then impersonate

3. CAPTCHA function

Short message bombardment

One-time verification code

Forget your password

Retrieve it through mobile phone number / mailbox

The program design is unreasonable, so that the SMS verification code can be bypassed and modified (use burpsuite to grab the package and modify the response value true)

5. Sensitive information leakage

Database / log / prompt

6. Ultra vires testing

Do not log in to the system, directly enter whether the URL of the download file can be downloaded / directly enter whether the URL of the login page can be accessed

Can you manually change the parameter values in URL to access pages that you do not have permission to access?

Session sharing among different users can illegally manipulate each other's data.

7. Error message

Release the absolute path containing the sql statement, error message, and web server in the error message

8 、 Session

After logging out, click the back button to see if you can access the previous page.

It mainly comes down to the following points: (later, it can be optimized into a framework for security testing)

Deployment and infrastructure

Input verification

Authentication

Authorization

Configuration management

Sensitive data

Session management

Encrypt

Parameter operation

Exception management

Audit and log security

Second, the problems found in the light of the actual situation (existing system)

1. Log / prompt

At the beginning of the system, the problem that is easy to find is that when some errors or reverse tests are carried out, the printing of tables or fields with obvious databases will appear in the prompts on the page, or some sensitive words will appear. Similar to passwords, card numbers and × × numbers in the log, there is no corresponding plaintext conversion, and the existence of these sensitive words / plaintext does not change each other, which will cause the person to be able to obtain In order to carry out a simple rough, easy * * server or database, which will endanger the entire system!

2. Repeatability

Most web websites will have registration features, and like we are responsible for paying this piece will also open an account, registration and account opening, basically, there will be a unique check on the demand, and will be intercepted at the front end, but if you use jmter to add parameters and parameter values, it is possible to add successfully, it will lead to the same data in the page system, which may lead to errors in the entire function.

3. Frequency limit

Such as billing, login or text messages, if there is no corresponding restrictions, such as text messages, there is no limit on the number of times, the system will be bombarded by text messages, resulting in system paralysis, other customers will not be able to use the system.

4. Ultra vires testing

(basically, most systems do not explicitly write the requirements for ultra vires.) A web system usually has parameters in the address bar, such as user number, order number or other parameters, and on this basis, a system will have many users, or many levels, such as: a greater than B greater than C, then I use C users to log in to check the orders to which C users belong. The parameters of the order number will be brought in the address bar, and if the system does not have corresponding restrictions, C users can modify the order number so that they can see the data of B and even A users, which may lead to data leakage. Moreover, if the user number of the user can be modified without processing, all the data can be operated, and the whole system will be messed up and have a great impact.

5. SQL injection / XSS***

It is mainly the verification / interception of the input box and whether it is escaped or not. If the input content is not processed by the system, then the * * person can enter a SQL statement or a piece of code to enter the corresponding function in the background, which will cause the whole function to be confused, and the data submitted by other normal users cannot be viewed and operated, or the submitted code will not be closed if it is an endless loop (">). So this is very important.

Basically, the above five points are in the test, the real existence of the system, problems, and other problems are not cited one by one, among which ultra vires and SQL injection and XSS*** are the top priority!

III. Small difficulties to overcome

What is mentioned above requires manual participation, and the human operation will not be so full and comprehensive, so this is a small problem encountered. Now there is a tool for vulnerability scanning for web systems: AWVS, which tests your website security through web crawlers, detects popular security vulnerabilities, and is mainly divided into four levels: high-risk, medium-risk, low-risk and optimization. it will carry out the security of internal and external links, the existence of files and the security of transmission, including SQL injection and XSS***, input address, user name password After the scan is completed, the corresponding data will be displayed: number of vulnerabilities, description of vulnerabilities, recommended fixes. Scan the time of the website, the amount of file data, environmental information, etc., more comprehensive!

Fourth, the idea and framework of safety testing.

Mainly according to the following six points to achieve a more complete security testing ideas, the framework is based on semi-manual, semi-automatic to achieve the verification of the whole system.

Deployment and infrastructure

Input verification

/ Authentication (permission verification)

Sensitive data

Parameter operation

Audit and log security

5. Current problems / need to be optimized

At present, most of the security tests are semi-manual and semi-automatic, but they are not professional, so they are still in the exploratory stage, and we can only find the loopholes in the system as much as possible, and the testing theory is difficult to apply to the security field.

The basic theory of safety testing is weak, the current testing methods lack of theoretical guidance, and lack of more technical product tools.

Security testing needs to analyze the technology and architecture of the system, which is also a relatively weak link!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.