Basic knowledge outlines required for web security testing

Source: Internet
Author: User
Tags sql server injection knowledge base nmap port scan

--Note: The following is a basic knowledge base for Web security testing that you can see from somewhere else , and you'll be able to learn it together with other web security test posts in this page

  Chapter One: Safety penetration test foundation of B/S architecture system

1. Basic concept of HTTP protocol

(1) Introduction of HTTP flag URL

(2) HTTP response status code

(3) HTTP protocol transfer content

2. Basic concept of Web application authentication

(1) HTTP common authentication mechanism

(2) BASE64 Code Introduction

3, b/s structure Common security problems

(1) Denial of service attack base

(2) Smurf attack model

(3) Fraggle Attack model

(4) Synflooding attack model

(5) Fragment attack

4. The theoretical basis of sniffer

(1) Network sniffing principle

(2) Introduction of password sniffing

(3) Basic Introduction to Protocol analysis

  Chapter II: b/S architecture system security penetration Test Attack Foundation

1, b/s architecture structure Port scanning analysis

(1) Superscan tools

(2) Nmap port Scan Tool

2. Basic knowledge of input authentication attack

(1) Basic concept of input verification attack

(2) Introduction to Unicode vulnerabilities

(3) input Verification two times decoding vulnerability introduction

Copyright NOTICE: This article is for 51Testing Forum member Ruanyongjie original. http://bbs.51testing.com

3, ASP script injection basic knowledge

(1) ASP script Injection basic concept

(2) ASP Script injection detection

(3) ASP script injection information acquisition

(4) Aasp script injection Right

4. Basic knowledge of PHP script injection

(1) Basic concept of PHP script injection

(2) PHP Script injection detection

(3) PHP script injection Information acquisition

(4) PHP script injection right

5. Cross-site Scripting principle and defense

(1) The basic concept of cross-site scripting

(2) Cross-site scripting instances

(3) Cross-site scripting workaround

6, Web rights promotion analysis

(1) Basic concept of web rights promotion

(2) Webshell upload method

(3) Web rights Promotion 7 big way: Password crack, local power, Gina Trojan ...

7. Apr Sniffing Basics

(1) Apr protocol concept

(2) Apr spoofing attack

(3) Sniffing of switched domain networks

  Chapter III: B/S architecture system security penetration Test attack and test tools

1. Introduction of attack tools

(1) Principle of injection attack tool

(2) Injection attack tool analysis

(3) Attack test platform construction

2, inject attack tool use exercise (Asp+sql Server injection attack combat)

(1) Injection attack tool use

(2) Domain name inspection attack tool use and domain name information query

3. Denial of service attack tool usage exercises

(1) synflooding attack tool test

(2) Udpflood attack tool test

(3) Malformed DDoS attack tool

4, Sniffer attack tool use practice

(1) ARP spoofing attack tool password sniffing exercise

(2) Sniffer Protocol analysis exercise

5. b/S Security Assessment tool use practice

(1) Web Script Evaluation Tool installation

(2) b/S architecture scan

(3) Evaluation report Analysis writing template

1. Data validation process: A good Web system should be verified on IE side,server side, and DB end. But there are a lot of procedures to cut corners, script verification is over, regardless of; App server's validation of data length and type is not the same as DB server, which can cause problems. It's interesting to look at the script code and design some cases, which is a good place for you as a senior tester . I have modified the script code on the page side and then submitted a form, triggering a major loophole in the system backdoor

2. Data validation type: If the Web server commits the SQL statement without validating the submitted SQL statement, then a hacker can anxi. He can split the SQL statements submitted, followed by a delete all or drop database statements, you can delete the contents of your databases ! I haven't experimented with this yet. On the Internet site, I do not know if such a site has, how many. Anyway, the web system I was in charge of had found such a problem.

3. Network encryption, database encryption needless to say.

  The most common bugs encountered by Web software are:

1. SQL injetion

2. Vulnerability of module related to file operation

3. Deception of Cookies

4. Locally-Submitted vulnerabilities

   test methods for SQL injetion

  Principle:

If there is a news management system with the document News.asp re-use parameters to read the news in the database, such as

Http://www.xxx.com/news.asp?id=1 This kind of website program

If you directly use

Rs.Open "SELECT * from News where id=" &

CStr (Request ("id")), conn,1,1

Database to query, that is, the above URL reads the article read the

SELECT * FROM news where id=1

Knowing the SQL language means that the language is meant to read the content of the article with ID 1 in news.

However, in SQL Server Select is supported for subqueries and multi-sentence execution. If you submit URLs like this,

Http://www.xxx.com/news.asp?id=1and 1= (SELECT COUNT (*) from admin

where left (name,1) =a)

The SQL statement becomes

SELECT * News where id=1 and 1= (select COUNT (*)

From admin where left (name,1) =a)

In the admin table, if there is a field word for the first character on the left of name is a, query the content of the news table ID 1, the News table ID 1 is content, from a logical point of view is 1&p. As long as P is true, the expression is true and the page returns to the correct page. If the false page will be an error, or will be prompted that the ID of the article does not exist. Hackers take advantage of this can slowly have to try the background administrator's user and password.

Test:

It is simple to test that there is no SQL injetion if the parameters are integer, submit the Http://www.xxx.com/news.asp?id=1and 1=1 and Http://www.xxx.com/news.asp?id=1and 1=2 separately on the URL

If the correct content is returned for the first time, a second return to a different page or a different tolerance indicates that the news.asp file exists in SQL Injetion. How to use it is not much to say, after all, we are not to invade.

  Vulnerability of module related to file operation in test

  Principle:

A program that uploads a file upload.asp if the programmer only focuses on its functional requirements without taking into account the user's failure to follow normal operations. such as uploading a Web trojan, the entire site and even the entire server architecture and source code are exposed and have certain permissions.

  Test:

Try uploading asp,php,jsp,cgi and other web pages to see if it is successful.

  Add:

And like Http://www.xxx.com/download/filespath.asp?path=../abc.zip.

Download the function of the software if

Http://www.xxx.com/download/filespath.asp?path=../conn.asp

It is likely that the source database location and user password that are downloaded to these ASPs may be exposed.

There are many other, not one example.

  Deception of cookies

  Principle:

Cookies are an important part of web programs, and cookies have advantages and disadvantages. The advantage is that the server is not occupied by resources, the disadvantage lies in the client is very easy to be modified to use. So the general forum front Desk login with the use of cookies backstage is the session, because the front desk landing more frequent, with the session efficiency is very low. However, such as the Forum program administrator users in the foreground also have certain permissions, if the cookie is not strict, seriously affecting the normal work of the Web program. such as pre-Leadbbs, only the background of the cookie verification strictly, the location of the foreground is only from the cookie to read the user ID, the user is not legal at all not verified.

  Test:

It is recommended to use the Mybrower browser to instantly display and modify cookies. Try modifying the corresponding position inside.

  Vulnerability in local submission form

  Principle:

The action only has the submit of the love form, so the form is the interface of the customer Web program. To give an example, a voting system, the value of the A,b,c,d items is 100,80,60,40.

But if you first save some pages in the local hard disk in HTML format. Then modify its value and submit it to its action, will the action accept it?

  Test:

As a voting system, save the polling page on your local hard drive, open it with Notepad, find the value of the corresponding item, modify it, and then commit.

Force background browsing: Bypass the landing page and submit the System folder or file page directly. Imperfect systems may be bypassed by the Login verification page if index.html is missing. Keeping some of your company's confidential content in a system folder can also cause an unpredictable loss.

Cross-site scripting attacks: Basically this I have seen in the forums-various forms of the Forum, a specific example, such as this code can be filled in any input box "<script>alert (" attacking! "); </script> "This script will be executed automatically if some characters, such as" < "," > ", are not converted. Baidu snapshot provided by the Web pages are automatically executed code. Don't believe everyone search a little JS code, see if you can see.

Stack overflow attack: Completely do not understand, just see on a website, you can now 2000, XP, 2003 to attack, very scary, MS should have patched it?

Basic knowledge outlines required for Web security testing (GO)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.