Web Designers in the design of the site, generally will spend most of their energy to consider meeting user applications, how to achieve business, and rarely consider the site development process of security vulnerabilities, these vulnerabilities in the user's eyes do not care about the security of the site is almost invisible, in the normal site access process, these vulnerabilities will not be detected. But for an attacker who has ulterior motives, these vulnerabilities are likely to cause damage to the website.
Site penetration testing, also known as Web site security testing, Web site security testing, Web security testing, site security assessment, Web site vulnerability testing. It is an attempt to prevent the website from being hacked (such as tampering with Web pages, stealing website data, website hanging horse), and after obtaining authorization from users to detect the vulnerability of the website.
In the site penetration test, we will conduct system vulnerability detection (vulnerability scanning, buffer overflow test, local privilege elevation) and Web page code detection (SQL injection, XSS cross-site, Web page horse, upload vulnerability, privilege elevation Vulnerability, database vulnerability, source code leakage) and many other security tests. In order to effectively identify the site security vulnerabilities and pitfalls, to ensure the security of the target site.
Our site penetration testing, with many years of actual combat experience, can effectively detect and discover the existence of the site owasp Top 10 vulnerabilities.
Typically, the following vulnerabilities are often present on a Web site:
1) SQL injection. Detects the presence of a SQL injection vulnerability in the Web site, and if the vulnerability exists, an attacker injects an injection point into an attack that allows easy access to the site's background administrative rights and even the administration of the Web server. XSS Cross-site scripting. Detects if there is an XSS cross-site scripting vulnerability in the Web site, which could be subject to cookie spoofing, web-linked horse attacks, and potentially user data leaks.
3) page hanging horse. Detect whether the website has been illegally planted by hackers or malicious attackers Trojan horse program.
4) Buffer overflow. Detection of Web server and server software, whether there is a buffer overflow vulnerability, such as presence, an attacker can access the Web site or server administrative rights.
5) Upload the vulnerability. Detection of the upload function of the site is an upload vulnerability, if there is a vulnerability, an attacker can directly exploit the vulnerability to upload Trojans, to obtain Webshell on the site and then control the site.
6) Source code disclosure. Detects the presence of a source code disclosure vulnerability in the network and, if present, allows an attacker to download the source code of the Web site directly.
7) Hidden directory leaks. Detects that there is a disclosure vulnerability in some of the Web site's hidden directories, and if the vulnerability exists, an attacker can understand the entire structure of the site.
8) database leaks. A vulnerability that detects whether a Web site is compromised in a database, and, if so, an attacker could illegally download a Web site database through Bauku.
9) Weak password. Detection of the site's background management users, as well as the foreground user, whether there is a use of weak password situation.
10) Manage address leaks. Detect the presence of a site management address disclosure feature, if there is a vulnerability, the attacker can easily obtain the site's admin address.
Solutions See other Chapters: