How to perform Web penetration testing

How to perform Web penetration testing

Web penetration testing can be considered from the following aspects:

1. SQL Injection (SQL Injection)

(1) how to test SQL injection?

First, find the URL page with parameters passed, such as the search page, login page, and submit the comment page.

Note 1: If the parameter is not clearly identified in the URL, you can check the "FORM" tag in the HTML source code to identify whether there is any parameter transfer. each parameter transfer between the <FORM> and </FORM> labels may be exploited.

<form id="form_search" action="/search/" method="get"><div><input type="text" name="q" id="search_q" value="" /><input name="search" type="image" src="/media/images/site/search_btn.gif" /><a href="/search/" class="fl">Gamefinder</a></div></form>

NOTE 2: When you cannot find a page with input behaviors, you can try to find some special URLs with some parameters, such as HTTP: // DOMAIN/INDEX. ASP? ID = 10

Add some special SQL statements or SQL fragments to URL parameters or forms. For example, enter HTTP: // DOMAIN/INDEX. ASP? USERNAME = 'Hi' OR 1 = 1

NOTE 1: The following statements can be used for SQL Injection requests:

' or 1=1- -" or 1=1- -or 1=1- -' or 'a'='a" or "a"="a') or ('a'='a

NOTE 2: Why is it OR, and ', -- is it a special character?

For example, the following statement is usually used for authentication during logon: SQL = select * from user where username = 'username' and pwd = 'Password'

For example, enter http: // duck/index. asp? Username = admin' or 1 = '1 & pwd = 11. The SQL statement is changed to the following: SQL = select * from user where username = 'admin' or 1 = '1' and password = '11'

The query condition is set to 'admin '. The following statement is executed based on the next query condition.

The next step is the OR query condition, AND the OR operator is a logical operation operator. When multiple conditions are judged, if one condition is true, the equation is true, AND the AND following conditions are no longer judged, that is to say, we have bypassed password verification and we can log on with only the user name.

For example, enter http: // duck/index. asp? Username = admin' -- & pwd = 11, the SQL statement will become the following SQL = select * from user where name = 'admin' -- 'and pasword = '11 ',

The query condition is 'followed by admin', that is, username = 'admin'. The following statement is executed according to the next query condition.

Next, "--" is the query condition. "--" is ignored or commented out. The password verification after the connector is commented out (Note: it is ineffective for the ACCESS database ).

Finally, verify whether the intrusion is successful or the error information contains information about the database server. If yes, the SQL security vulnerability exists.

Imagine that if the website has the risk of SQL injection, experienced malicious users may also guess the database table and table structure, and add, delete, or modify the database table, the consequences are very serious.

(2) How to Prevent SQL injection?

From the application perspective, we need to do the following three tasks:

Escape sensitive characters and strings (SQL sensitive characters include "exec", "xp _", "sp _", "declare", "Union", "cmd ", "+ ","//",".. ","; "," '"," -- "," % "," 0x ","> <=! -*/() | ", And" space ").

Blocking error information: prevents attackers from knowing the attack results.

The validity of the submitted data before the server officially processes the data. The validity check includes three items: data type, data length, and sensitive character verification. The most fundamental solution is that the server rejects key processing operations before confirming that the user input is valid.

From the tester's point of view, we should consciously apply the security check to the requirement test before the program development (that is, the requirement stage). For example, when we check a form requirement, we generally test the following security questions:

The type, length, and value range of a FIELD in the form should be described as needed (the main function is to prohibit the input of sensitive characters)

If the type, length, and value range specified in the form are exceeded, the application should provide an error message that does not contain any code or database information.

Of course, during the test, we also need to test the above two items.

2. Cross-site scritping (XSS): (Cross-site Scripting)

(1) how to perform XSS testing?

<! -- [If! SupportLists] --> first, find the URL with the parameter passed, such as the login page, search page, submit comments, and post a message page.

<! -- [If! SupportLists] --> Secondly, enter the following statements in the page parameters (for example, Javascr ī pt, VB scr ī pt, HTML, ActiveX, Flash) for testing:

<Scr reject pt> alert (document. cookie) </scr reject pt>

Finally, a warning box will pop up when you browse. The content displays the current cookie string of the browser, which indicates that the website has an XSS vulnerability.

Imagine if we inject not the above simple test code, but a malicious script that is often carefully designed, when users browse this post, the cookie information may be successfully obtained by attackers. In this case, the viewer's account is easily controlled by attackers.

(2) How to Prevent XSS vulnerabilities?

From the application perspective, we need to take the following measures:

Escape statements or scripts such as Javascr ī pt, VB scr ī pt, HTML, ActiveX, and Flash.

The validity of the submitted data before the formal processing by the server (the validity check mainly includes three types: data type, data length, and sensitive character verification. The most fundamental solution is that the server rejects key processing operations before confirming that the client input is valid.

From the tester's point of view, the XSS check should be completed in two phases: requirement check and execution test process:

The type, length, and value range of each input or output item are verified during the requirement check process, with emphasis on verifying whether HTML or script code is escaped.

The above items should also be checked during testing.

3. CSRF: (cross-site forgery request)

Although CSRF sounds like XSS, it is very different from XSS, and the attack methods are almost different.

XSS uses trusted users in the site, while CSRF uses trusted websites by disguising requests from trusted users.

XSS, CSRF, and so on. It aims to steal user information, such as SESSION and COOKIES,

(1) how to perform CSRF testing?

Currently, security testing tools are mainly used for inspection.

(2) How to Prevent CSRF vulnerabilities?

We will not talk about this here.

4. Email Header Injection (mail Header Injection)

Email Header Injection: if the form is used to send an email, the form may include the "subject" input item (Mail title). We need to verify that the "\ n" identifier should be removed from the subject.

<! -- [If! SupportLists] --> <! -- [Endif] --> because "\ n" is a new line, if you input "hello \ ncc: spamvictim@example.com" in the subject, the following may occur:

Subject: hello

HTTP: spamvictim@example.com

<! -- [If! SupportLists] --> <! -- [Endif] --> if the user is allowed to use such a subject, it may send spam to other users through our platform using this defect.

5. Directory Traversal (Directory Traversal)

(1) how to test directory traversal?

Directory Traversal is generated because the program does not filter user input ".. /"and". /, which allows malicious users to traverse arbitrary files on the server by submitting a directory jump.

Test method: enter a certain number of "../" and "./" in the URL to verify that the system has dropped these directory redirects.

(2) How to Prevent directory traversal?

Restrict the running of Web applications on servers

Perform strict input verification to control invalid user input paths.

6. exposed error messages (error message)

(1) how to perform the test?

First, find some error pages, such as 404, or 500.

Verify whether a friendly error message is provided when debugging fails, such as "the page you visit is not stored", rather than exposing some program code.

(2) how to prevent it?

When performing a requirement check, the tester should check the error information in detail, for example, whether the error information is provided and whether the error information is correct.