Information collection for Web Security penetration testing (part 2) (1)

Bkjia.com exclusive Article] When we conduct a Security penetration test, the first thing we need to do is to collect as much information as possible for the target application. Therefore, information collection is an essential step for penetration testing. This task can be completed in different ways,

By using search engines, scanners, simple HTTP requests, or specially crafted requests, applications may leak information such as error information, version information, and technologies used. This article describes in detail how to test which applications are running on the target address and how to use messages in advance through error messages.

1. Identify applications

When testing Web application vulnerabilities, the most important step is to find out which applications are hosted on the Web server. Many applications have known vulnerabilities and attack methods, allowing them to gain remote control or access confidential data. In addition, many applications often encounter configuration errors or are not updated for a long time, because some people always think that they are used internally, so they are ignored.

In the past, the relationship between Web servers and IP addresses was usually one-to-one. However, with the rapid growth of virtual Web servers, many websites/applications share the same IP address.

As a security professional, sometimes a group of IP addresses must be processed to test a target server. The problem is that if the given IP address is an HTTP Service hosted on port 80, When you access the service by specifying an IP address, it reports that the address does not have messages such as Web Servers configured. In fact, the system may "hide" many Web applications, but they are given irrelevant Symbol names. Obviously, the breadth of analysis is greatly affected by the tested applications. You may not have noticed them, or just noticed some of them. Sometimes there are many target objects to be tested, such as a column of IP addresses and their corresponding symbol names. Even so, this list may only pass part of the information, that is, it may omit some symbolic names-because even customers do not know them, especially for those large organizations.

Other issues that affect the scope of audit are non-explicit Web applications that do not reference their URLs (such as http://www.example.com/some-strange-URL) from anywhere. This may be caused by incorrect configurations or intentional actions, such as non-public management interfaces. To solve this problem, web application testing is required.

The following describes the black box testing and examples. Web application detection is a process of searching for Web applications on a given infrastructure. These infrastructures are usually defined by a set of IP addresses, or a set of DNS Symbol names, or both. Either a typical penetration test or an application-centric evaluation test, this information needs to be provided before the actual audit. Unless otherwise specified in the employment contract (for example, "only test the application on http://www.example.com/"), audit should be conducted as much as possible, that is, it should find all applications accessible through a given target. In the following example, we will study some technologies that can achieve the above objectives.

Note: The following technologies apply to Internet-oriented Web servers, DNS, and Web-based reverse IP resolution services and search engines. In this example, we use a private IP address (such as 192.168.1.100) to represent a common IP address.

Three factors affect the number of applications related to a given DNS name (or an IP address:

1. Different base URLs

For a Web application, an obvious entry point is logging. In this example ". However, in general, we do not need to publish Web applications in this stealth mode unless you do not want to provide them in a standard way, but secretly inform your users of the specific location of these applications. However, this does not mean that these applications are hidden, but they are not published, but they are still there.

2. Non-Standard Port

Although Web applications are usually located at Port 80 http) and port 443 (https), Web applications can be bound to any TCP port and referenced by specifying port numbers, for example, http [s]: // www.example.com: port /. For example, For example, http://www.example.com: 20000 /.

3. VM

DNS allows us to map a single IP address to one or more Symbol names. For example, IP address 192.168.1.100 can be mapped to the following DNS names: names www.example.com, help;.example.com, and webmail.example.com. A vm generally uses this one-to-multiple method to provide different content. Specifies that the information of the VM we are referencing will be embedded in the Host: Header of HTTP 1.1.

Unless we know help;.example.com and webmail.example.com, we will not doubt that there are other Web applications.