Common techniques for attacking Web Applications

Common techniques for attacking Web Applications
Target: servers and clients that use HTTP protocol, and Web applications running on servers. Attack base: HTTP is a common protocol mechanism. In Web applications, all the content of the HTTP request received from the browser can be freely changed or tampered with on the client, web applications may receive completely different and tampered content from the server. Attacked objects: URL query fields or forms, HTTP headers, Cookit, etc. Load attack code in HTTP request packets to initiate Web application attacks. The attack code is passed in through URL query fields or forms, HTTP headers, Cookit, and other methods, if the Code has a security vulnerability, attackers can obtain the management permission and request the content to be changed or obtained. Attack methods: Active attacks and passive attacks active attacks: Server-oriented active attacks are attacks that allow attackers to directly access Web applications and pass attack code into them. Because this mode directly attacks resources on the server, attackers need to be able to access those resources. The Representative attacks in the active attack mode are SQL injection attacks and OS command injection attacks. SQL injection attacks are mainly attacks against databases used by Web applications by running illegal SQL statements. Attack Mode: When a Web application searches, adds, or deletes data in a database table, it uses SQL statements to connect to the database for corresponding operations, therefore, if a vulnerability exists when an SQL statement is called, an invalid SQL statement will be injected. Therefore, you can perform corresponding attack processing in the address bar of the Web. For example, if -- is added to a URL and -- indicates the meaning of the comment in an SQL statement, some content is commented out to attack attackers. Attack impact: illegal viewing or tampering with data in the database, avoidance of authentication, execution of program OS commands associated with the database server business injection attacks through Web applications, attackers can execute illegal operating system commands to attack the system. As long as the Shell function can be called, there is a risk of being attacked. Attack Mode: A Web application uses Shell to call operating system commands. If a vulnerability exists in Shell calling, attackers can execute illegal OS commands. That is to say, various programs installed on the OS can be executed through OS injection attacks. For example, send a consulting email to inject attacks. Passive attacks: Server-targeted passive attacks: the attack mode that uses the trap policy to execute attack code. In the process of passive attacks, attackers do not directly launch attacks on target Web applications. The common attack method is to set traps for users to trigger, the attacker's browser sends an HTTP request containing the attack code to the target Web application and runs the attack code. Based on the attack code, attackers can steal user personal information and tamper with and abuse user information. This attack mode is also vulnerable to enterprise intranet attacks. Typical attacks include cross-site scripting attacks, cross-site request forgery, and HTTP header injection attacks. Cross-Site Scripting (XSS) and Cross-Site Scripting are attacks that are carried out by using illegal HTML code or JavaScript in the browser of a website registered with a security vulnerability. Attack Mode: attackers write scripts to set a trap. When a user runs on his or her browser, the user is accidentally attacked. Attack impact: attackers exploit false input forms to defraud users of personal information and use scripts to steal Cookit values, helping attackers send malicious requests and display forged articles or images. XSS is a passive attack triggered by attackers using preset traps. For example, add specific script code to the URL to obtain the personal login information of the hacker and steal Cookit from the user (obtained through Js ). Cross-Site Request Forgery (CSRF) refers to a passive attack in which attackers force unexpected personal information or set information updates to authenticated users through the configured traps. Impact: use authenticated user permissions to update settings, use authenticated user permissions to buy products, and use authenticated user permissions to post comments on the message board. HTTP header injection attacks. This attack mode is an attack that allows an attacker to insert a line break and add any response header or subject to the response header field. It belongs to the passive attack mode. The attack that adds content to the first body is called the HTTP Response Truncation Attack. Attack Mode: the Web application sometimes assigns the values received from the outside to the response header field Location and Set-Cookit. HTTP header injection inserts a line feed to launch an attack when some response header fields need to process output values. Attack impact: set any Cookit information, redirect to any URL, and display any subject (HTTP Response Truncation Attack) attack cases: 1. Add % 0D % 0A (line break in HTTP packet) after the URL, and then obtain the information of the first attack field compiled by the attacker, for example, Set-Cookit to obtain the corresponding Cookit value. 2. HTTP response Truncation Attack: insert two % 0D % 0A strings side by side and send them. Use two consecutive line breaks to separate the HTTP header from the subject, in this way, the spoofed subject can be displayed for attack purposes. With this attack method, the user who has triggered the trap will see the forged Web page, and then let the user enter personal information to achieve the same effect of cross-site scripting attacks. 3. cache pollution: Misuse of HTTP/1.1's multi-response and return function will cause the cache server to cache any content. Users who use this Cache Server, when you browse an attacked website, you will constantly browse the replaced Web page. Other attack methods: mail header injection attacks. This attack mode refers To the mail sending function in Web applications. Attackers can launch attacks by adding illegal content To the mail header or Subject. Websites with security vulnerabilities can send advertising or virus emails to any email address. Attack case: the attacker uses the following data as the mail address to initiate a request, and then adds % 0D % 0A to the end to indicate a line break in the mail message. After using this feature, the attacker can append the mail address, using two consecutive linefeeds may tamper with the text of the email and send it. In the same way, it is possible To rewrite any mail headers such as To and Subject, and add attachments To the text. Directory traversal attacks a directory traversal attack is an attack that allows you to access a file directory that has no intention of disclosing it. Attack Mode: When a Web application is used to process files, the specified external file name may have a vulnerability .. /.. the relative paths such as/etc/passed are located on the absolute path. Therefore, any file or file directory on the server may be accessed. Attackers can browse, tamper with, or delete files on the Web server. Remote File Inclusion Vulnerability this attack mode means that when some script content needs to be read from other files, attackers can use the URL of the specified external server to act as the dependent file for the script to read, an attack that can run any script. This is a major security vulnerability in PHP. For PHP's include or require, this function can be used to set and specify the URL of an external server as a file name, however, this function is ineffective by default after PHP5.2.0 because it is very dangerous. How can this cause security vulnerabilities? Security vulnerabilities caused by setup or design defects are incorrectly configured for Web servers or security vulnerabilities caused by design problems. 1. Forcibly browse files placed in the public directory of the Web server to browse those files that were originally unvoluntarily published. This vulnerability may expose the customer's personal information, information that can be accessed by users who have access permissions, and files that have not been connected to the outside world. A good practice is to hide its URL. This is because when a file name or file directory index is directly displayed, some methods may cause URL leakage. 2. Incorrect error message processing Web application error information contains information useful to attackers, mainly including the error information thrown by Web applications and the error information thrown by systems such as databases. Error message thrown by a Web application: This section uses the authentication error information of the authentication function as an example to describe the incorrect error message processing method. Similar to a specific reminder when a user fails to log on, the user is prompted for registration and other information. Attackers can use this information to determine whether the user is registered. We recommend that you keep the content of the reminder message to the "authentication error" level only. Database and other system error messages: When an unexpected error message is entered, the database error is reminded. Attackers can read database information such as MySQL from the reminder message, which may inspire SQL injection attacks. 3. Enable redirection to redirect a specified URL to a malicious Web site. Then, the user will be directed to that website. For example http://example/?redirect= * ** The attacker can specify the redirection parameter to rewrite the connection to the configured Web site. It may be used as a stepping stone for phishing attacks. If session management is neglected, the user's authentication status will be stolen. For example, session hijacking (obtaining the user's session ID through some means, disguising the user to achieve the attack effect) and Session Fixation attacks (forcing the user to use the session ID specified by the attacker is a passive attack).

This article permanently updates the link address: