Business security vulnerability Mining Essentials 1 Authentication security Brute Force a large number of attempts to guess the password in a violent, exhaustive manner. Generally include dictionary attacks and violent poor lifting. example 360 Cloud disk sharing code can be brute force http://www.wooyun.org/bugs/wooyun-2015-0121646 Rice Network login does not need verification code to lead to brute force http://www.wooyun.org/bugs/wooyun-2015-0145757 defense method: Verification Code mechanism, One-time authentication code login failure processing function, login limit, lock function Two authentication mechanism tool: Burpsuite Tools Collisions examples the lily net brute force hack user name password very high success rate http://www.wooyun.org/bugs/ wooyun-2010-091527 Huawei Cloud Services can be a brute force hack and Crash Library http://www.wooyun.org/bugs/wooyun-2014-078348 tool: htpwdscan url:https://github.com/lijiejie/htpwdscan Collision Prevention Method Unify all login interfaces, discard each app's separate login entry sub-theme Weak encryption mechanism example: An online training system Base64 coded general SQL Blind Vulnerability http://www.wooyun.org/bugs/wooyun-2015-0120906 using MD5,BASE64 and other cryptographic encoding technology Defense No Hash+salt encryption 2 business consistency security business consistency avoid vertical, parallel, and arbitrary information acquisition by the user. Mobile phone number tampering modifying the phone number parameters for other numbers by grabbing a packet to try to get information for example, in the Check page, enter your own number and then grab the package, modify the phone number parameter for the other person's number, to see if you can query other people's business. Example: gome a sub-station binding mobile phone number any reset can modify the transaction password http://www.wooyun.org/bugs/wooyun-2010-0166377 Mailbox or user tamper Grab package Modify user or mailbox parameter for other user or mailbox sample Green Union RSAS security System full version kill Rights Manager bypass vulnerability, including latest RSAS V5.0.13.2 http://www.wooyun.org/bugs/wooyun-2014-074441 Order ID Tamper view own order ID, Then modify the ID (plus minus one) to see if other order information can be viewed. Example travel agent unlimited access to user orders http://www.wooyun.org/bugs/wooyun-2013-044137 product number tampering For example, Points Redemption office, 100 points can only change the product number 001, 1000 points can only change the product number 005, in the 100 points for merchandise to grab the package to change the number of items changed to 005, with low points for the area of high-score products. example Lenovo Points Mall Payment vulnerability Bypass http://www.wooyun.org/bugs/wooyun-2013-041617 Lenovo Points Mall logic file leads to payment vulnerability http://www.wooyun.org/bugs/wooyun-2013-037058 User ID tamper Grab package View your User ID, Then modify the ID (plus minus 1) to see if other user ID information can be viewed. example: NET million CV leakage risk http://www.wooyun.org/bugs/wooyun-2015-0111617 3 business Data tampering amount data tampering &nbSP; A field such as the amount of the item to be modified in the payment page, such as the Amount field of the goods in the request, modified to any amount and submitted to see if the business process can be completed with the revised amount data. example 12308 Total price on order Payment No validation Vulnerability (Payment logic vulnerability) http://www.wooyun.org/bugs/wooyun-2015-0117083 destoon Unlimited increase in the number of account funds http://www.wooyun.org/bugs/wooyun-2014-050481 goods quantity Tamper Grab package Modify the number of items and other fields, Modify the number of items in the request to any amount, such as negative and submit, to see if the business process can be completed with the modified quantity. Example Azure Group Payment Logic Vulnerability (can be paid in negative) http://www.wooyun.org/bugs/wooyun-2015-0109037 maximum limit breakout Many products limit the number of users to purchase, the server only in the page through the JS script limit, not on the server side to verify the number of user submissions, through the capture package to modify the maximum number of items limit, the number of items in the request to be greater than the maximum limit value, to see whether the revised quantity of the business process. Local JS parameter modification Some applications use JavaScript to process user-submitted requests by modifying JavaScript scripts to test whether the modified data affects the user. 4 user input Compliance injection testing  XSS cross-site Scripting fuzz testing Functional Testing with more, it is possible that a very long special string causes system denial of service or feature missing. Possible tools--spike other applications that interact with user Input vulnerability 5 password recovery Password recovery The intention is to design to those who forgot the password, so that they can retrieve their password. Example: Lily net modify any sister account password Vulnerability http://www.wooyun.org/bugs/wooyun-2012-014594 password Recovery Vulnerability Summary http://drops.wooyun.org/web/5048 process: i. First try toPassword recovery process, choose different ways to retrieve, record all packet ii. Analyze the packet to find the sensitive part of the   III. The verification means used to analyze the back-up mechanism iv. Modify packet Validation inference 6 verification code breakout Verification code not only in the login, find password application, submit sensitive data where there are similar applications verification Code brute Force test use burp to brute force specific verification code to crack Ally 88 E-commerce platform any user registration and any user password Reset vulnerability package http://www.wooyun.org/bugs/wooyun-2015-093932 verification code time, frequency test Fetch the packets carrying the verification code and repeat the submission repeatedly. For example: In the complaint suggestion to enter the content information to be complained about, and verification code parameters, when the packet repeated submission packet, to see the history of complaints in the presence of duplicate submissions of parameter information. Verification Code client echo test when the client needs to interact with the server and send a verification code, you can use Firefox to press F12 to bring up firebug to see the details of the client interacting with the server Verification code bypass test when the first step jumps to the second step, grab the packet, tamper with the code to clear the test, verify that the step verification code can be bypassed. example Design defect of information security management system in an IDC computer room of China Telecom system http://www.wooyun.org/bugs/wooyun-2015-098765 Verification Code JS bypass SMS Verification Code Verification Program Logic defects, the first step of the business process, the second, the third step is placed on the same page, verify that the first step verification code is by JS to judge, The verification code can be modified without obtaining a verification code can fill in the real name information, and submitted successfully. 7 Business Authorization security unauthorized access unauthorized access means that the user has direct access to the page or text information that needs to be authenticated for access without a certification authorization. You can try to log in to a website after the foreground or background, copy the relevant page links to other browsers or other computers to access to see if the access to success. Unauthorized access ultra vires vulnerability is mainly due to developers in the data to increase, delete, change, query the client requested data over-phaseThe letter and the omission of the authority of the decision vertical ultra vires (vertical vires refers to the use of low-privileged users can access the higher rights of users) level of ultra vires (the level of authority refers to the same permissions of different users can access each other) the My way of overstepping the url:http://drops.wooyun.org/tips/727 example Guangzhou Metro a system unauthorized access vulnerability can lead to internal personnel information leakage http://www.wooyun.org/ bugs/wooyun-2010-0157827 HONGTA Securities from the log log unauthorized access to the collapse of OA (a lot of information fell) http://www.wooyun.org/bugs/wooyun-2015-01613168 Business process chaos sequential execution defects 1, partial site logic may be first a process after B procedure and then C process last D procedure 2, the user controls each request they send to the application, so it can be accessed in any order. The user then enters the D process directly from B, bypassing C. If C is the payment process, then the user bypasses the payment process and buys a product. If C is the verification process, it bypasses the validation and goes directly to the website program. Example Amoy network Logic Vulnerability beauty QQ, mobile phone number and other information free to see (1 cents not to give) http://wooyun.org/bugs/wooyun-2010-01081849 business interface calls replay attacks in the SMS, mail call business or generate Business Data link (class: Text message verification Code, email verification Code, order generation, comment submission, etc.), to its business links to call (replay) test. If the business is called (replayed) and is generated multiple times valid business or data results an MU Tian Trading network logic loophole (cask principle) http://www.wooyun.org/bugs/wooyun-2015-094545 Content editing 10 timeliness bypass time refresh Defect 12306 website ticket business is every 5s, the ticket will be refreshed once. But this time does set the interval locally. As a result, the associated variables of this time can be reset to 1s or smaller at the console so that the refresh time is significantly shortened (mainly changing the autosearchtime local parameters). 12306 Auto-brush ticket time can change vulnerability Http://www.wooyun.org/bugs/wooyun-2014-048391 time range test for certain time-limited businesses, modify their time limits, 1, for example, a business that is queried within a time limit, modify a request with a time-limited text segment and submit, to see if the business process can be completed by bypassing the time limit. 2. For example, by changing the range of month in which the processing records of the mobile office are queried, you can break through the default record of only six months.
Mind Mapping:
Key points of business security vulnerability mining
