Business Security Vulnerability Mining Induction summary "reprint"

0x00 Index Description

6.30 share in owasp, a vulnerability detection model for business security. Further extension of the popular science.

0X01 Identity Authentication Security

1 Brute force hack

Where there is no verification code limit or where a verification code can be used multiple times, use a known user to brute force the password or use a generic password to brute force the user. Simple verification Code blasting. url:http://zone.wooyun.org/content/20839

Some tools and scripts

Burpsuite

The necessary Url:https://github.com/lijiejie/htpwdscan of Htpwdscan in the reservoir blasting

Hydra Source Installation Xhydra support more protocols to explode (broken web, other protocols are not part of the Business security category)

2 Session & Cookie Class

Session fixed attack: Use the server's session-invariant mechanism to obtain authentication and authorization from others by hand, impersonating others. Case: Wooyun: Sina Guangdong Food Background Verification Logic vulnerability, direct login backstage, 566,764 user data Exposure!

Cookie phishing: Modifying one of the parameters in a cookie allows you to log in to other users. Case: Yi Yun Advertising platform any account login Wooyun: Yi Yun Advertising platform any account login

3 Weak encryption

Not using HTTPS, is a functional test point, bad use.

Front-end encryption, with ciphertext to the background check, and the use of smart decode can be solved

0x02 Business Consistency Security

1 Mobile phone number tampering

A) grab the package to modify the mobile phone number parameters for other numbers to try, such as on the query page, enter their own number and then grab the package, modify the phone number parameters for the other person's number, to see if you can query other people's business.

2 Mailbox or user tampering

A) grab the package to modify the user or mailbox parameters for other users or mailboxes

b) Case: Wooyun: Green League RSAS security system full version kill Rights Manager bypass vulnerability, including latest RSAS V5.0.13.2

3 Order ID Tampering

A) View your order ID, and then modify the ID (plus minus one) to see if you can view additional order information.

b) Case: Wooyun: Travel agent to visit any user's order

4 Product number Tampering

A) For example, Points Redemption office, 100 points can only change the product number of 001,1000 points can only change the product number 005, in the 100 points for merchandise to grab the package change the number of items to 005, with low points for the area of high-score products.

b) Case: Lenovo a point mall to pay the loophole to bypass Wooyun: Lenovo a Point mall payment vulnerability and bypass

5 User ID Tampering

A) grab the package to see your user ID, then modify the ID (plus minus 1) to see if other user ID information can be viewed.

b) Case: Wooyun: Pull the net million resume leakage risk (including mobile phone, mail, job vacancies and other information, can also impersonate the identity of the enterprise to screen resumes, send interview notice, etc.)

0X03 Business Data Tampering

1 Amount Data tampering

A) Such fields as the amount of the modification of the package, such as the Amount field of the item in the payment page fetch request, are modified to any amount and submitted to see if the business process can be completed with the revised amount data. b) Case: wooyun:12308 Total Price on order Payment No validation Vulnerability (Payment logic Vulnerability)

2 Product Quantity Tampering

A) grab the package to modify the number of items and other fields, change the number of items in the request to any amount, such as negative and submit, to see whether the business process can be completed with the revised quantity. b) Case: Wooyun: Azure Group Payment Logic Vulnerability (can be negative payment)

3 Maximum number limit breakout

A) Many products limit the number of users to purchase, the server only in the page through the JS script limit, not on the server side to verify the number of user submissions, through the capture package to modify the maximum number of items limit, the number of items in the request to be greater than the maximum limit value, to see whether the revised number of business processes.

4 Local JS parameter modification

A) Some applications use JavaScript to process user-submitted requests by modifying JavaScript scripts to test whether the modified data affects the user.

0X04 User Input Compliance

1 Injection test please refer to Http://wiki.wooyun.org/web:sql

2 XSS Test please refer to HTTP://WIKI.WOOYUN.ORG/WEB:XSS

3 Fuzz

A) More functional testing, it is possible that a very long special string causes system denial of service or function is missing. (Of course fuzz not only for this purpose.) ）

b) Less in line with the case, but the idea can be used for reference: Wooyun: Building station star Fuzzy test of the actual combat arbitrary file Upload Vulnerability

c) tools that may be used--spike

4 Other application vulnerabilities that interact with user input

0x05 Password Retrieval Vulnerability

1 strongly recommend the BMA's "Password Retrieval Logic Vulnerability Summary"

http://drops.wooyun.org/web/5048

A) Password recovery logic test general process

I. First try the normal password recovery process, choose different ways to retrieve, record all the packets

II. Analyze the packet to find the sensitive part

Iii. verification methods used in the analysis of back-up mechanisms

Iv. Modifying packet validation assumptions

b) Brain map (for details, please refer to the BMA's "Password Retrieval Logic vulnerability Summary")

0X06 Verification Code Breakout

Verification code is not only in the login, find the password application, submit sensitive data where there are similar applications, so separate classification, and further detailed description.

1 verification Code brute Force hack test

A) use burp to brute force a specific verification code

b) Case: Wooyun: Ally 88 e-commerce platform any user registration and any user password Reset vulnerability package

2 Verification code time, number of times test

A) crawl the packet carrying the verification code repeatedly submitted, for example: in the complaint to enter the complaint to the content information, and verification code parameters, at this time the packet repeatedly submitted packets to see the history of complaints in the presence of duplicate submissions of parameter information.

b) Case:

3 Verification Code Client ECHO test

A when the client needs to interact with the server, send the verification code, you can use Firefox press F12 to call Firebug to see the client and the server to interact with the details

4 Verification Code Bypass test

A) When the first step jumps to the second step, grab the packet, tamper with the verification code to clear the test, verify that the step verification code can be bypassed.

b) Case: Wooyun: China Telecom IDC computer room Information Security management system design defects caused the system to fall

5 Verification Code JS Bypass

A) SMS Verification Code Verification Program Logic defects, the first step of the business process, the second, the third step is placed in the same page, verify that the first step verification code is through JS to judge, you can modify the verification code in the case of no verification code can fill in the real name information, and submitted successfully.

0X07 Business Authorization Security

1 Unauthorized access

A) unauthorized access refers to the ability of a user to directly access pages or text information that needs to be authenticated for access without a certification authority. You can try to log in to a website after the foreground or background, copy the relevant page links to other browsers or other computers to access to see if the access to success.

2 Unauthorized access

The cause of ultra vires vulnerability is mainly due to the fact that developers are too convinced of the data requested by the client when adding, deleting, changing and querying the data, and the decision of authority is omitted.

A) vertical ultra vires (vertical ultra vires refers to users with low access rights can access higher rights of users)

b) Level of authority (the level of ultra vires refers to the same permissions of different users can access each other) (wooyun-2010-0100991 Phpems Multiple levels of the existence of horizontal permissions issues)

c) "My way of exceeding the authority" url:http://drops.wooyun.org/tips/727

0X08 Business Process Chaos sequence

1 Sequential execution defects

A) Some site logic may be first a process after B process and then C process final D process

b) The user controls every request they send to the application and is therefore able to access it in any order. The user then enters the D process directly from B, bypassing C. If C is the payment process, then the user bypasses the payment process and buys a product. If C is the verification process, it bypasses the validation and goes directly to the website program.

c) Case:

Wooyun: Wanda A substation logic error can bypass payment directly get the ticket password

http://wooyun.org/bugs/wooyun-2010-0108184

0X09 Service Interface Call security

1 Replay attacks

In the SMS, mail call business or generate Business Data link (class: Text message Verification Code, message Verification code, order generation, comment submission, etc.), the operation of its business links (replay) test. If a business is called (replayed) and is generated more than once for valid business or data results

A) malicious registration

b) SMS Bomb

In the process of testing, we found that many financial trading platform only in the front-end through the JS check time to control the SMS Send button, but the background does not make any restrictions on the send, resulting in the way to replay the package to send a large number of malicious text messages

Case: Wooyun: one mu Tian Trading network logic loophole (cask principle)

2 content editing

Similar cases are as follows:

Click "Get SMS Verification Code" and crawl the contents of the packet, such as. By analyzing the packet, you can find that the contents of the parameter senddata/insrotxt are client-controlled and can be modified to what the attacker wants to send.

To modify the content "Congratulations on your access to the Iphone6 provided by XX Bank, please login to http://www.xxx.com collection, verification code is 236694" and send the packet, mobile phone can receive the modified text message content, such as:

0x10 Aging Bypass Test

Most of the cases used in the verification code and business data on the limitation of the scope, in the previous summary also some people will be 12306 as a typical, therefore, separate classification.

1 Time Refresh defect

12306 website Ticket business is every 5s, the ticket will be refreshed once. But this time does set the interval locally. As a result, the associated variables of this time can be reset to 1s or smaller at the console so that the refresh time is significantly shortened (mainly changing the autosearchtime local parameters). Case:

wooyun:12306 Automatic ticket time can change the vulnerability

2 Time range Test

For certain time-limited businesses, modify their time limits, such as the business that is queried within a certain time limit, modify the request that contains the time-limited text segment and submit it to see if the business process can be completed bypassing the time limit. For example, by changing the range of month on which the office is queried, you can break through the default records that can only be queried for six months.

0x11 Reference

@eversec

Application Logic Error Summary http://drops.wooyun.org/papers/1418

Possible problems with the password retrieval function http://drops.wooyun.org/papers/287

Possible problems with password retrieval (supplemental) http://drops.wooyun.org/web/3295

Password recovery Logic Vulnerability Summary http://drops.wooyun.org/web/5048

Three common types of payment vulnerabilities-reinforcement solutions http://zone.wooyun.org/content/878

Online Payment Logic Vulnerability Summary http://drops.wooyun.org/papers/345

Common security vulnerability and defense http://www.freebuf.com/news/special/61082.html in financial industry platform

My way of overstepping the http://drops.wooyun.org/tips/727

Security Science: See Video Understanding Web Application Security Vulnerability TOP10 (IBM internal video) http://www.freebuf.com/vuls/63426.html

Transferred from: HTTP://DROPS.WOOYUN.ORG/CATEGORY/WEB/PAGE/3

Business Security Vulnerability Mining Induction summary "reprint"