Efficient vulnerability Mining

Efficient vulnerability Mining
Nowadays, there are a lot of attacks on the Web Front-end. Most attack methods are based on "clients. But few people have noticed it, so this article is available.

When I want to find a new attack method, most people research Code (including my first ). Search for vulnerabilities in the code. This method is inefficient. So some people like to use fuzzing to test the existence of large-scale vulnerabilities (this method is indeed very good, with a wide range, comprehensive testing, and fast speed ), don't think that I have found a technology similar to fuzzing. This method can only be said to make fuzzing faster and more efficient.

To discover a new vulnerability, you must first understandThe operating principle of the program. Then it is expressed in graphs or text.. Because there are few server vulnerabilities, I will not emphasize them here. I will mainly talk about client vulnerabilities, because the client has the most problems. As long as you find that there is interaction with the client in the process of running this program, you can basically conclude that if the client is not properly filtered, there is a high probability of a vulnerability.

If you talk so much about it, most people may not understand it.

Here I take"Url redirection attack methods"To Explain

What is redirection? Here is an example.

A.cn is short of money. Ask B .cn to borrow money, but B .cn has no money, but B .cn knows who has money, so tell a.cn that c.cn has money and ask him to borrow money. Then a.cn asked c.cn to borrow money, and c.cn lent the money to a.cn. Then, based on the order of writing principles.

A.cn--b.cn--a.cn--c.cn--a.cn

1	A.cn--b.cn--a.cn--c.cn--a.cn

Here we can see that there is a client interaction in the working principle of this program. Then we will focus on the client a.cn.

Suppose we change the content B .cn gave back to a.cn to something else.

The result is as follows.

A.cn is short of money, borrow money from B .cn, and B .cn has no money, but I know that c.cn has money, so I will tell a.cn that c.cn has money. At this time, we will intercept data packets here and change the content to d.cn with money. Then let the data packet go, then a.cn received a reply from B .cn, saying that he had no money, d.cn had money, and a.cn asked d.cn to borrow it. D.cn does not bird a.cn. Then a.cn is starved to death. The principle sequence is

A.cn--b.cn--hacker--a.cn--d.cn--a.cn starved to death, c.cn was not involved in this idiom operation

The consequence of this is that a.cn fails in all redirection operations.

Summary.

To efficiently explore vulnerabilities, we 'd better put your best effort on the client. Because the server is unknown, it is difficult for you to precisely detect them, and the client is open to us, this creates many opportunities for us.

Finally, let's end this article with the Zjmainstay metaphor.

Just like banks and customers, many people are willing to rob customers and do not want to rob banks.

Instead of going to the bank to get the money.