"Notes" NetEase micro-professional-web security Engineer -04.web Security -1.DVWA Deployment

Source: Internet
Author: User

Course Overview:

The paper came to the end of the light, I know this matter to preach. Through the course of learning and practical exercises, let the students understand and grasp the common web security vulnerabilities mining, use skills, and know how to repair.

Course Outline:

The first section. DVWA deployment

Section Ii. Violent cracking

Section III. Command injection

Fourth section. Csrf

Fifth section. file contains

Sixth section. File Upload

Seventh section. SQL Echo Injection

Eighth section. SQL Blinds

Nineth section. Xss

NOTES:

The previous three courses, mainly introduces the Web basic Knowledge, security foundation, commonly used security tools and so on, the first two lessons theory more, the third lesson although introduced some tools, but did not integrate to use. In order to understand the vulnerability of web security, we must learn and accumulate in actual combat.

At the beginning of everything, we need to build good one web penetration test environment.

1. Installing the PHP Debugging Environment

Phpstudy package integration of the latest apache+php+mysql+phpmyadmin+zendoptimizer, one-time installation, without configuration can be used, is very convenient and easy to use PHP debugging environment.

http://www.phpstudy.net/

Phpstudy installation is still very simple, no longer repeat, the default site home directory under "Installation path/www".

In addition, you can also download the use of XAMPP (Apache+mysql+php+perl), is also a powerful building station integration package, installation is very simple, the default site home directory under "Installation path \htdocs".

Https://www.apachefriends.org/zh_cn/index.html

2. Deploying DVWA

http://www.dvwa.co.uk/

DVWA (Damn vulnerable Web application) is a Php/mysql Web application for security vulnerability identification designed to provide a legitimate environment for security professionals to test their expertise and tools. Help Web developers to better understand the Web application security protection process.

Dvwa A total of 10 modules, respectively:

    1. Brute Force (Violent (cracked))
    2. Command injection (line injection)
    3. CSRF (cross-site request forgery)
    4. File inclusion (files included)
    5. File Upload (document upload)
    6. Insecure CAPTCHA (unsafe verification Code)
    7. SQL injection (SQL injection)
    8. SQL injection (Blind) (SQL Blind)
    9. XSS (reflected) (reflective cross-site scripting)
    10. XSS (Stored) (Storage-type cross-site scripting)

Divided into four levels of security: low,medium,high,impossible.

By comparing four levels of code, testers can gradually master the principles and defenses of each type of infiltration.

    1. Download DVWA deployment package, the folder can be renamed to DVWA under the WWW directory where the phpstudy installation path is extracted.
    2. Go to config and modify the database configuration in config.inc.php.
    3. Open the browser input http://127.0.0.1/dvwa/setup.php, click on the bottom right corner to create a test database, if the error, confirm that the database configuration in config.inc.php is correct.
    4. Open the browser input http://127.0.0.1/dvwa/login.php and use Admin/password to access it.
3. Other Tools

Download browser Firefox, install the plugins and tools mentioned in chapter three.

"Notes" NetEase micro-professional-web security Engineer -04.web Security -1.DVWA Deployment

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.