What is the knowledge about Web security testing?

1. Data verification process: a good web system should be verified on IE, server, and DB. But there are a lot of programs to cut corners, and script verification is complete, it does not matter; the app server's verification of the Data Length and type is different from the db server, these will cause problems. If you are interested, please refer to the script code and design some cases. This is an excellent example for you as a senior tester. I modified the script code on the page and submitted a form, triggering a major system vulnerability backdoor.

2. Data Verification type: If the SQL statement submitted by the web server is not verified by the submitted SQL statement, then a hacker may be surprised. You can separate the submitted SQL statements and add a delete all or drop database statement to delete your database! I haven't tried this on an internet website yet. I don't know how many websites there are. The web system I was responsible for found such a problem.

3. network encryption, not to mention database encryption.

The most common BUG of WEB software is:

1. SQL INJETION

2. file operation-related module Vulnerabilities

3. Cookie Spoofing

4. Local vulnerability submission

SQL INJETION Test Method

Principle:

If news. asp is used by the news management system to read news from the database using parameters, for example

Http://www.xxx.com/news.asp? Id = 1.

If you use

Rs. open "select * from news where id = "&

Cstr (request ("id"), conn, 1, 1

If the database is queried, the article read by the above URL is read in this way.

Select * from news where id = 1

If you know the SQL language, you will know that this language means reading the article with id 1 on news.

However, in SQL SERVER, select supports subqueries and multi-sentence execution. If you submit a URL in this way

Http://www.xxx.com/news.asp? Id = 1and 1 = (select count (*) from admin

Where left (name, 1) =)

The SQL statement becomes

Select * news where id = 1 and 1 = (select count (*)

From admin where left (name, 1) =)

If the field in the admin table is a character on the left of the name field, the system queries the content with id 1 in the news table. The id 1 in the news table contains content, logically, it is 1 & P. If P is true, the expression is true, and the page returns a correct page. If it is a false page, an error is reported or the article with this id does not exist. Hackers can use this to try out the user and password of the background administrator.

Test:

Test does not exist SQL INJETION is very simple if the parameter is an integer type, then submit the http://www.xxx.com/news.asp on the URL separately? Id = 1and 1 = 1 and http://www.xxx.com/news.asp? Id = 1and 1 = 2

If the correct content is returned for the first time and different pages or contents are returned for the second time, the SQL INJETION exists in the news. asp file. We can't say much about how to use it. After all, we are not trying to intrude into it.

Vulnerabilities in file operation-related modules are being tested.

Principle:

For example, if the program upload. asp for file upload only pays attention to its functional requirements, it does not take into account the user's non-conventional operation issues. For example, if a webpage Trojan program is uploaded, the architecture and source code of the entire website or even the entire server are exposed and have certain permissions.

Test:

Upload files on asp, php, jsp, cgi, and other webpages to check whether they are successful.

Supplement:

And like http://www.xxx.com/download/filespath.asp? Path = ../abc.zip

Download the feature software if

Http://www.xxx.com/download/filespath.asp? Path = ../conn. asp

It is very likely that the location and user password of the source code database downloaded to these asp files may be exposed.

There are many other examples.

Cookie Spoofing

Principle:

COOKIES are an important part of WEB programs. COOKIES have advantages and disadvantages. The advantage is that it does not occupy server resources. The disadvantage is that it is very easy to be modified and used on the client. Generally, SESSION is used to log on to the front-end of a forum using COOKIES. Because the front-end logon is frequent, SESSION usage is inefficient. However, for example, the Forum Program Administrator has certain permissions in front of the website. If the COOKIES are not strictly verified, the normal operation of WEB programs is seriously affected. For example, LEADBBS in the early stage only strictly verifies COOKIES in the background. The foreground only reads the user ID from COOKIES, and does not verify whether the user is legal.

Test:

We recommend that you use the MYBROWER browser to instantly display and modify COOKIES. Modify the corresponding location.

Local form submission Vulnerability

Principle:

Action only supports form submission, so form is the interface of the customer's WEB program. For example, in A voting system, the values of items A, B, C, and D are, 80, 60, and 40.

However, if you save some pages in HTML format on the local hard disk. Then modify its VALUE and submit it to its ACTION. Will the ACTION accept it?

Test:

For example, in the voting system, save the voting page on the local hard disk, open it in notepad, find the VALUE of the corresponding item, modify it, and then submit it.

Forced background browsing: attackers can bypass the logon page and directly submit the system folder or file page. If the system lacks index.html, the login verification page may be bypassed. Keeping confidential company content in the system folder also causes immeasurable losses.

Cross-site scripting attacks: Basically I have seen this in forums-forums of various forms. For example, this code can be entered in any input box "". if some characters, such as "<" and ">", are not converted, the script is automatically executed. The web pages provided by Baidu snapshot automatically execute the code. Do not trust us to search for JavaScript code to see if you can see it.

Stack Overflow attacks: I don't know at all, but I can see on a website that I can attack 2000, XP, and 2003. It's terrible. Should I patch MS?