In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-01-25 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Internet Technology >
Share
Shulou(Shulou.com)06/01 Report--
Today, I would like to share with you what are the relevant knowledge points of code audit in WEB security penetration testing. The content is detailed and the logic is clear. I believe most people still know too much about this knowledge, so share this article for your reference. I hope you can get something after reading this article.
Code audit
1.5.1. Brief introduction
Code audit is the process of finding application defects. It usually has white box, black box, gray box and so on. The white box refers to finding the application defects through the analysis of the source code, the black box usually does not involve the source code and uses fuzzy testing, while the gray box is a combination of black and white.
1.5.2. Common concepts
1.5.2.1. Input
The input of the application can be the requested parameters (GET, POST, etc.), uploaded files, network, database and other user controllable or indirect controllable places.
1.5.2.2. Processing function
The function that processes the data may be filtering or codec.
1.5.2.3. Hazard function
Also known as Sink Call, loopholes are functions that can trigger dangerous behaviors such as file operations, command execution, database operations, and so on.
1.5.3. Automatic audit
It is generally believed that the trigger process of a vulnerability is the process of filtering the input to the dangerous function, and audit is the process of finding this chain.
1.5.3.1. Hazard function matching
The most common way of white-box audit is to locate vulnerabilities by searching for dangerous functions and dangerous parameters. The more representative tool is the audit tool developed by Seay. The false positive rate of this method is quite high because it does not deeply analyze the flow of the program. On the other hand, this method usually analyzes each file in isolation, ignoring the complex invocation relationship between files.
Specifically, this approach can achieve almost no underreporting in some environments, as long as the auditor is patient, most of the vulnerabilities can be found, but in highly framed code, the number of vulnerabilities that can be found is relatively limited.
1.5.3.2. Control flow analysis
In the later system, considering the introduction of AST as the basis of analysis to a certain extent, the false positives are reduced to some extent, but there are still many defects.
Then, Dahse J and others designed RIPS, which analyzed data flow and control flow. Combined with intra-process and inter-process analysis, the audit results were obtained. Compared with the way of risk function matching, the false alarm rate was much less, but it also increased the cost.
1.5.3.3. Gray box analysis
Fate0, a domestic security researcher, proposed a runtime-based analysis method, which solves the problems of complex implementation of control flow analysis and high computational path cost.
1.5.4. Manual audit method
● gets the code, determines the version, and determines whether it works properly.
Look for loopholes in history
Find an example of the application of the system
● simple audit, run the audit tool to see if there are any vulnerabilities
● probably understands how the whole program works.
How to load a file
Class library dependency
Is waf loaded?
How to connect to ● database
Mysql/mysqli/pdo
Is it useful for precompilation?
How ● views are formed
Can you xss
Can you inject the template
How does ● SESSION handle it
File
Database
Memory
How does ● Cache handle it
The file cache may write shell
Database cache may be injected
Memcache
Look at the account system in ●
Password of the ● administrator account
Encryption mode
Can you explode the password after leaking the data?
Reset vulnerability
● password modification vulnerability
Change other people's passwords
The account number of an ordinary ● user
Can you get ordinary user rights?
Can ordinary user's account be stolen?
Focus on finding pages that can be accessed without an account.
Is it OAuth?
● attacks SQLi
See if global filtering can bypass
See if there is a place to execute sql directly
● to see what driver is used, mysql/mysqli/pdo
If you use PDO, see if it is executed directly
● XSS
Global bypass
Direct echo
See how the view is loaded.
● FILE
Upload / download override deletion
● contains
LFI
RFI
Global search for include, require
● upload normally
See how upload determines whether files can be uploaded or not.
● RCE
Call_user_func
Eval
Assert
Preg_replace / e
XXE
CSRF
SSRF
Deserialization
● variable override
Extract
Parse_str
Array_map
LDAP
XPath
Cookie forgery
● filtering
● looking for WAF.
See how waf filters and how to bypass accordingly
1.6
WAF
1.6.1. Brief introduction
1.6.1.1. Concept
WAF (Web Application Firewall,Web Application Firewall) is a product that provides reinforcement for Web applications by implementing a series of security policies for HTTP/HTTPS. In the market, there are a variety of prices and functions and options of WAF. To some extent, WAF can provide security for Web applications, but it can not guarantee complete security.
1.6.1.2. Common function
● detects exception protocols and rejects requests that do not meet the HTTP standard
● provides session protection for state management
● Cookies protection
● Information leakage Protection
● DDoS protection
● forbids some IP access
● suspicious IP check
● Security HTTP header Management
X-XSS-Protection
X-Frame-Options
● mechanism detection
CSRF token
HSTS
1.6.1.3. Layout position
According to the location, WAF can be divided into cloud WAF, CVM protection software and hardware protection. The cloud WAF is arranged on the cloud, and the request goes through the CVM and then flows to the host. Host protection software requires the host to pre-install corresponding software, such as mod_security, ngx-lua-waf, etc., to protect the host. Hardware protection means that when traffic flows to the host, it is first cleaned and intercepted by the equipment.
1.6.2. Protective mode
The methods commonly used in WAF are related to keyword detection, regular expression detection, syntax analysis, behavior analysis, reputation analysis, machine learning and so on.
Rule-based protection is the most common way of protection. Developers use some set regular rules to detect whether the load is aggressive. Regular-based protection is relatively simple, so there are some shortcomings. For example, it can only be applied to a single request, and the rule is difficult to apply to some complex protocols.
Syntax-based analysis, which is faster and more accurate than regularization, parses payloads into syntactically parsed symbol groups, and then looks for dangerous keywords in symbol groups. This method has a good effect on some load variants, but again, it requires a higher parser.
Behavior-based analysis looks at a wider range, such as the port scan behavior of attackers, directory explosions, parameter tests, or some other automation or attack patterns.
Reputation-based analysis can filter out some suspicious sources, such as commonly used VPN, anonymous proxy, Tor node, botnet node IP and so on.
The scope of WAF based on machine learning is very wide, and the effects are diversified according to the specific implementation and scenarios.
In addition to being divided according to specific methods, they can also be classified according to the use of whitelists and blacklists. Whitelist-based WAF is suitable for stable Web applications, while blacklist-based is suitable for dealing with known problems.
1.6.3. Scanner defense
● based on User-Agent recognition
● based on attack payload identification
● verification code
1.6.4. WAF fingerprint
Additional Cookie for ●
Additional Header for ●
What is returned when the request is rejected by ●
The response code when the ● is rejected.
● IP
1.6.5. Bypass mode
1.6.5.1. Architecture-based bypass
The ● site is after WAF, but the site can be directly connected.
The ● site is in the CVM, and there is no WAF for the servers on the same network segment.
1.6.5.2. Resource-based bypass
● consumes large loads and consumes the computing resources of WAF.
1.6.5.3. Parsing-based bypass
Different parsing of ● character set
Incomplete coverage of ● protocol
Incorrect parsing of ● protocol
● site and WAF are partially inconsistent with https.
● WAF parsing is inconsistent with Web service parsing
● occurs many times with the same parameter, and the position taken is different.
● HTTP Parameter Pollution (HPP)
● HTTP Parameter Fragmentation (HPF)
1.6.5.4. Rule-based bypass
● equivalent substitution
Equivalent function
Equivalent variable
Keyword split
String operation
● case conversion
Select = > sEleCt
Alert (1)
● character coding
URL coding
Hexadecimal coding
Unicode parsing
Base64 HTML
JSFuck
Other coding formats
● character interference
Annotation
● null character
NULL (x00)
Space
Enter (x0d)
Line feed (x0a)
Vertical tabulation (x0b)
Horizontal tabulation (x09)
Page change (x0c)
● special symbol
Comment character
Quotation marks (back quotation marks, single quotation marks, double quotation marks)
● takes advantage of the characteristics of the service itself
● replacement suspect keyword is empty
Selselectect = > select
● rare features are not in the rule list
2.1
Domain name information
2.1.1. Whois
Whois can query the database of whether the domain name is registered, as well as the details of the registered domain name, which may contain some useful information, such as domain name owner, domain name registrant, mailbox, etc.
2.1.2. Search engine search
Search engines usually record domain name information, which can be queried through the syntax of site:agesec.com.
2.1.3. Third-party inquiry
There are quite a number of third-party applications in the network that provide sub-domain query functions. here are some examples, and more websites can be found in the 8.1 tool list.
● DNSDumpster
● Virustotal
● CrtSearch
● threatminer
● Censys
2.1.4. ASN information association
An autonomous system (Autonomous System, AS) in the network is a small unit that has the right to independently decide which routing protocol should be used in this system. This network unit can be a simple network or a network group controlled by one or more ordinary network administrators. It is a single manageable network unit (such as a university, an enterprise or an individual company).
An autonomous system is sometimes called a routing domain (routing domain). An autonomous system will assign a globally unique 16-digit number, which is called the autonomous system number (ASN). Therefore, you can use the ASN number to find the possible relevant IP, for example:
Whois-h whois.radb.net -'- I origin AS111111' | grep-Eo "([0-9.] +) {4} / [0-9] +" | uniq
Nmap-script targets-asn-script-args targets-asn.asn=15169
2.1.5. Domain name relevance
Multiple domain names registered by the same enterprise / individual usually have certain relevance, such as using the same mailbox to register, using the same record, the same responsible person to register, and so on. You can use this way to find the associated domain name. One procedure is as follows:
● query domain name registration mailbox
● queries the record number through the domain name
● queries the domain name through the record number
● reverse check registered mailbox
● counter-check the registrant
● uses the domain name queried by the registrant to query the mailbox.
● queries the domain name through the email in the previous step.
● queries the subdomains of the domain names obtained above
2.1.6. Website information utilization
There is a lot of information in the website, and some information may be exposed in the website itself, various security policies, settings and so on.
The interaction of the website itself is usually not limited to a single domain name, but will interact with other subdomains. In this case, you can crawl the site to collect other subdomain information in the site. This information usually appears in JavaScript files, resource file links, and so on.
The security policies of websites, such as cross-domain policies and CSP rules, usually contain information about relevant domain names. Sometimes multiple domain names use the same SSL/TLS certificate for convenience, so sometimes the relevant domain name information can be obtained through the certificate.
2.1.7. Certificate transparency
In order to ensure that the CA certificate will not be mistakenly issued or forged, HTTPS will record the certificate in a log that can be publicly verified, cannot be tampered with and can only be attached, and any interested party can view all the certificates issued by the authorization center. Therefore, the relevant domain name can be obtained by querying the authorized certificate.
2.1.8. Domain delivery vulnerability
Zone transfer refers to the redundant backup server refreshing its own domain (zone) database with data from the autonomous server. This is to prevent the resolution of the entire domain name from being affected by the unexpected unavailability of the primary server.
In general, domain transfer operations should only allow trusted standby DNS servers to initiate, but if authorization is misconfigured, any user can get domain name information for the entire DNS server. This incorrect authorization is known as a DNS domain delivery vulnerability.
2.1.9. Passive DNS
Passive DNS passively records responses from different domain name servers from recursive domain name servers to form a database. Using the Passive DNS database, you can know which domain names have been bound to which IP,IP has been associated with which domain names, and the earliest / recent emergence of domain names provides great help for testing. Virustotal, passivetotal, CIRCL and other websites provide the query of Passive DNS database.
2.1.10. SPF record
SPF (Sender Policy Framework) is a type of DNS record proposed to prevent spam. It is a TXT type of record that registers all IP addresses owned by a domain name for outgoing mail. The relevant IP information can be obtained through SPF records.
2.1.11. CDN
2.1.11.1. CDN verification
Multiple ping can be used to determine whether the target uses CDN, commonly used websites such as http://ping.chinaz.com/https://asm.ca.com/en/ping.php.
2.1.11.2. Domain name lookup
The parent domain or child domain of a domain name that uses CDN does not necessarily use CDN. You can find the corresponding IP in this way.
2.1.11.3. History lookup
CDN may be launched after the website is online for a period of time. You can find the real IP by looking up the domain name resolution record.
2.1.12. Subdomain blasting
In intranet and other environments where the above techniques are not easy to use, or when you want to monitor the launch of a new domain name, you can find a valid domain name by trying it in batches.
These are all the contents of this article entitled "what are the knowledge points of code audit in WEB security penetration testing?" Thank you for reading! I believe you will gain a lot after reading this article. The editor will update different knowledge for you every day. If you want to learn more knowledge, please pay attention to the industry information channel.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 288
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.