Security Test notes

 

A. SQL Injection Criteria:

1. append single quotation marks (') or single quotation marks (') in URL encoding form % 27 or double encoding mode % 2527

If the vulnerability exists, the server returns a database error similar to that not closed in single quotes after submission;

2. append annotator-or annotator URL encoding in the form of % 2D % 2D or dual-encoding % 252d % 252d

If the vulnerability exists, the server returns a database error similar to the case where single quotes are not closed or SQL statements are incomplete.

3. append condition judgment (number type): and 1 = 1 and 1 = 2

If the vulnerability exists, the page content displayed after the submission is logical (generally the same as the result returned when the test case string is not added) and logical false (generally, the returned results are empty) two different pages.

4. append condition judgment: 'and '1' = '1 and' and '1' = '2

If the vulnerability exists, the page content appears logical truth (generally, the result is returned when the test case string is not added ).

If the result is the same) and the logic false (normally the returned content is null) are two different pages.

B. Cross-Site Scripting test scope:

1. Create and modify pages (including creating, saving, submitting, editing, and modifying pages)

Manual + PAROS Tool Testing

2. File Upload (including blacklist and whitelist)

Attachments in HTML, EXE, and bat formats are not allowed to be uploaded.

Whitelist: Add executable scripts to files that can be uploaded, such as Word, Excel, and PPT, for example, <SCRIPT> alert (document. Cookie) </SCRIPT>

How to test the XSS vulnerability:

1. In the input box, submit the tag character <and> and its URL encoding: % 3C % 3E and double encoding % 253c % 253e. You can enter them together.

2. In the input box, submit single quotation marks and double quotation marks: 'and its URL encoding: % 27% 22 and double encoding % 2527%.

3. In the input box, submit the parentheses (and) and its URL encoding: % 28% 29 and double encoding % 2528%.

Note: 1. Huawei it only requires Escape filtering for special characters such as <> and single double quotation marks for Web applications, and does not require.

2. Only the persistent cross-site vulnerabilities are rectified. The non-persistent and URL Cross-Site vulnerabilities are not rectified, and the risk of being attacked is considered to be low.

3. For cross-site attachment upload vulnerabilities, inject a script to obtain cookie information: <SCRIPT> alert (document. Cookie) </SCRIPT> to verify the vulnerability.

4. Common test scripts are as follows:

<SCRIPT> alert ("AAA") </SCRIPT>

<IFRAME src = "http://www.c114.net"> </iframe>

<SCRIPT> alert (document. Cookie) </SCRIPT>

Javascript: Alert (document. Cookie)

111 "onmouseover =" javascript: Alert ('xss ')

222222 <> % 3C % 3E % 253c % 253e

1111 '"% 27% 22% 2527%

3333 () % 28% 29% 2528%

Note: ◆ if no jump is made, check the source code directly on the current page. If yes, check whether the submitted results are translated on the result query page.

◆ Lenovo and the drop-down list participate in the Cross-site test. You need to use the PAROS tool to modify and append the cross-site feature with PAROS after entering the normal value.

◆ When multiple conditions are submitted or changed, you can enter the conditions for cross-site testing. It is best to identify each condition for easy search.

Criteria for determining cross-site scripting vulnerabilities:

1. Submit tag characters in the input box: <and> and its URL encoding: % 3C % 3E and double encoding % 253c % 253e

----- Observe the source file of the output page. If the output content is displayed between HTML tags and <and> is not encoded as a character entity, a cross-site scripting vulnerability exists. If the output content is displayed in the script content on the page and does not use/escape, the cross-site scripting vulnerability exists.

2. In the input box, submit single quotation marks and double quotation marks: 'and "and Its URL encoding: % 27% 22 and double encoding % 2527% 2522.

----- Observe the source file of the output page. If the output content is displayed in the attribute values of the HTML Tag and 'are not encoded as character entities, a cross-site scripting vulnerability exists. If the output content is displayed in the script content on the page and does not use/escape, the cross-site scripting vulnerability exists.

3. upload and download files

----- Blacklist: attachments in HTML, EXE, and bat formats can be uploaded, indicating that there is a cross-site vulnerability.

------ For the uploaded whitelist, click the attachment on the open interface. If it is opened as HTML, there must be a cross-site vulnerability. If the file type is already opened, there is no cross-site vulnerability.