Course Overview:
The paper came to the end of the light, I know this matter to preach. Through the course of learning and practical exercises, let the students understand and grasp the common web security vulnerabilities mining, use skills, and know how to repair.
Course Outline:
The first section. DVWA deployment
Section Ii. Violent cracking
Section III. Command injection
Fourth section. Csrf
Fifth section. file contains
Sixth section. File Upload
Seventh section. SQL Echo Injection
Eighth section. SQL Blinds
Nineth section. Xss
NOTES:
The previous three courses, mainly introduces the Web basic Knowledge, security foundation, commonly used security tools and so on, the first two lessons theory more, the third lesson although introduced some tools, but did not integrate to use. In order to understand the vulnerability of web security, we must learn and accumulate in actual combat.
At the beginning of everything, we need to build good one web penetration test environment.
1. Installing the PHP Debugging Environment
Phpstudy package integration of the latest apache+php+mysql+phpmyadmin+zendoptimizer, one-time installation, without configuration can be used, is very convenient and easy to use PHP debugging environment.
http://www.phpstudy.net/
Phpstudy installation is still very simple, no longer repeat, the default site home directory under "Installation path/www".
In addition, you can also download the use of XAMPP (Apache+mysql+php+perl), is also a powerful building station integration package, installation is very simple, the default site home directory under "Installation path \htdocs".
Https://www.apachefriends.org/zh_cn/index.html
2. Deploying DVWA
http://www.dvwa.co.uk/
DVWA (Damn vulnerable Web application) is a Php/mysql Web application for security vulnerability identification designed to provide a legitimate environment for security professionals to test their expertise and tools. Help Web developers to better understand the Web application security protection process.
Dvwa A total of 10 modules, respectively:
- Brute Force (Violent (cracked))
- Command injection (line injection)
- CSRF (cross-site request forgery)
- File inclusion (files included)
- File Upload (document upload)
- Insecure CAPTCHA (unsafe verification Code)
- SQL injection (SQL injection)
- SQL injection (Blind) (SQL Blind)
- XSS (reflected) (reflective cross-site scripting)
- XSS (Stored) (Storage-type cross-site scripting)
Divided into four levels of security: low,medium,high,impossible.
By comparing four levels of code, testers can gradually master the principles and defenses of each type of infiltration.
- Download DVWA deployment package, the folder can be renamed to DVWA under the WWW directory where the phpstudy installation path is extracted.
- Go to config and modify the database configuration in config.inc.php.
- Open the browser input http://127.0.0.1/dvwa/setup.php, click on the bottom right corner to create a test database, if the error, confirm that the database configuration in config.inc.php is correct.
- Open the browser input http://127.0.0.1/dvwa/login.php and use Admin/password to access it.
3. Other Tools
Download browser Firefox, install the plugins and tools mentioned in chapter three.
"Notes" NetEase micro-professional-web security Engineer -04.web Security -1.DVWA Deployment