Brief introduction to some web vulnerability principles

Author: LceL1sh @ www.anying.org

In fact, I always wanted to write such an article, but I always thought it was very low-end. I may not be able to write my own experiences, but I decided to write my own experiences. In fact, the reason why many websites have vulnerabilities there are various, I can only give you a rough description through my experience in searching for vulnerabilities. In my understanding, all the websites have such a layer-4 Structure: layer-4 structure, the layer-4 structure is actually very rough. When we submit a parameter from the page presentation layer, we then use the processing of the business logic layer to form a corresponding method to transfer the interface to the data operation layer, then, the database is operated through the data operation layer. The production principles of many vulnerabilities are at this level. For example, the login function commonly used on the web allows users to enter accounts and passwords in the account and password boxes, click Submit to generate a form,

This form will be submitted to the processing code at the business logic layer in the form of post or get, the methods in the business logic layer will verify the form and make a series of judgments (generally, anti-injection code will be written in this place to determine whether the parameters you pass are in violation of regulations ), after judgment, the parameters involved in the form are submitted to the data operation layer in some ways, and the results are returned.

Therefore, the cause of most website vulnerabilities lies in the business logic layer code, therefore, many script boys will download the template source code for some cms for a series of white box detection to get the so-called 0 day. In fact, these things are simple principles, so there is nothing to pay attention to. I just want to give you some personal understanding !!