Web penetration testing strategy [1]

Source: Internet
Author: User
Tags creative commons attribution

Introduction
This document mainly describes the knowledge required for penetration testing. PentesterLab is going to summarize the basic knowledge and most common vulnerabilities of the test into a CD.
About this document
Treaty to be observed
PentersterLab's penetration strategy complies with the Creative Commons Attribution-nonequalcial-NoDerivs 3.0 Unported License Treaty. To get a description of this treaty, please stamp the http://creativecommons.org/licenses/by-nc-nd/3.0.
Some instructions in this document
Some related jobs will be provided in the future, as well as reference links for you to learn in depth.
WebApplications
After the system starts, you can use the ifconfig command to obtain the current IP Address:

$ ifconfig eth0eth0 Link encap:Ethernet HWaddr 52:54:00:12:34:56inet addr:10.0.2.15 Bcast:10.0.2.255 Mask:255.255.255.0inet6 addr: fe80::5054:ff:fe12:3456/64 Scope:LinkUP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1RX packets:88 errors:0 dropped:0 overruns:0 frame:0TX packets:77 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:1000RX bytes:10300 (10.0 KiB) TX bytes:10243 (10.0 KiB)Interrupt:11 Base address:0x8000

In this example, the IP address is 10.0.2.15.
During the training, the host name of the affected machine is vulneralble. You can use an IP address to replace the host name, or you can add the host name and the corresponding IP address to the host file.
In windows, the host file is located
  C: \ Windows \ System32 \ Drivers \ etc \ hosts
In Unix/Linux and Mac OS X, the host file is located in
  /Etc/hosts
Tip: After the ip is restarted, the ip address will change. You may need to make some corresponding updates in the host file.
After accessing the web application, you can see the following page

Web
Many companies may have opened web Services, and many applications now have web versions. Therefore,
The importance of web security is self-evident.
Web Security Model
The essence of the web security model is simple: do not trust the data submitted by the customer. The server receives most of the information submitted by the client. We 'd better filter and escape the data submitted by the user.
Web Security risks
Web applications bring the same risks as other types of applications:
· Information Leakage
· Image loss
· Information loss
· Economic Losses
Web Technology
Architecture
Most web programs have three components:
· Client: Mostly browsers
· The web server used to accept client requests.
An application server processes this request. In this case, the web server only transmits the request to the application server.
· Storage backend used to store information: Usually databases.
Different behaviors of these components may expose vulnerabilities and security issues.
Client technology
Most of the client technologies used every day are HTML, JavaScript, Flash... Use a browser (Google, Firefox IE, etc.) to connect to the server. However, the web Client may also be a script to connect to the web service.
Server Technology
Many technologies will be used on the server, even if these technologies are prone to attacks.
These technologies can be subdivided into the following types:
· Web Server
Such as Apache, lighttpd, Nginx, IIS...
· Application Server
Such as Tomcat, Jboss, and Oracle Application server
· Programming Language
PHP, Java, Ruby, Python, ASP, C #,... Programming languages can also be used in some frameworks, such as Ruby-on-Rails,. Net MVC, and Django.
Storage backend
The storage backend can be located on the same machine as the web server, or on different machines.
Some storage backend examples:
· File storage
· Relational Database
For example, Mysql, Oracle, SQL Server, and PostgreSQL.
· Other databases
For example, MongoDB, CouchDB.
· Directory
For example, openLDAP or Active Directory.
An application can use multiple storage methods. For example, some programs use LDAP to store user names and passwords, and Oracle to store other user information.
HTTP Protocol
HTTP is the foundation of the entire web. If you want to test the web, it is very important to have an in-depth understanding of this Protocol. Familiarity with HTTP specifications will help you mine vulnerabilities.
One client-server session
HTTP is a session between a client and a server. the client sends a request to the server in the browser, and then the server returns a response to the request. HTTP is a text protocol, so it is easy for us to understand. generally, the web service listening port is TCP/80. when you enter the token in the address bar of your browser:
· HTTP Method
This allows the server to understand what operations the browser performs.
· Resources
Description of what the client wants to access the server
· Version information
Description of the HTTP protocol version used by the server
· Various header information
This information tells the name and version of the server browser, the preferred language (such as English, German, French ...)..
· Request subject
Different interpretations are provided based on different HTTP methods.
In an example, opening http: // vulnerable/index. php will generate the following HTTP request:
GET /index.php HTTP/1.1Host: vulnerableUser-Agent: Mozilla Firefox


Request
Method
There are many HTTP methods:
· GET Method
The most common method for obtaining webpage content in browsers
· POST method
The POST method is used to send data with a large amount of content and is often used in many forms and file uploads.
· HEAD Method
The HEAD method is similar to the GET method. The only difference is the response returned by the server. the response obtained by the HEAD method contains only the header, but no entity. this method is often used when the web spider checks whether a page has been changed, so that the SPIDER does not need to download the content of the whole page.
There are also many other HTTP methods: PUT, DELETE, PATCH, TRACE, OPTIONS, CONNECT...
Parameters
Another important part of the request is the parameter. When the client accesses the following page http: // vulnerable/article. php? Id = 1 & name = 2
The following request is sent to the web server:
The post request is very similar, but the actual parameters are contained in the request object. The form below:

This HTML code corresponds to the following logon form:


If the value of the form is as follows:
Username is 'admin'
The password is 'password123 ′.
After the form is submitted, the following request will be sent to the server:

POST /login.php HTTP/1.1Host: vulnerableUser-Agent: Mozilla FirefoxContent-Length: 35username=admin&password=Password123



If the <form tag uses the GET method, the request sent is as follows:

GET /login.php?username=admin&password=Password123 HTTP/1.1Host: vulnerableUser-Agent: Mozilla Firefox


If the form tag contains the attribute enctype = "multipart/form-data", the request is as follows.
POST /upload/example1.php HTTP/1.1Host: vulnerableContent-Length: 305User-Agent: Mozilla/5.0 [...] AppleWebKitContent-Type: multipart/form-data; boundary=—-WebKitFormBoundaryfLW6oGspQZKVxZjA——WebKitFormBoundaryfLW6oGspQZKVxZjAContent-Disposition: form-data; name=”image”; filename=”myfile.html”Content-Type: text/htmlMy file——WebKitFormBoundaryfLW6oGspQZKVxZjAContent-Disposition: form-data; name=”send”Send file——WebKitFormBoundaryfLW6oGspQZKVxZjA–


We can see that in the Request Header Content-typeSpecial: Content-Type:
Multipart/form-data; boundary = -- WebKitFormBoundaryfLW6oGspQZKVxZjA.
"WebKit" appears in a webkit-based browser. Other kernels are replaced by a random string. this string appears in several places. the string in the last line is followed by a-string. when you upload a file, the browser will send the following content.
File Name : Myfile.html
Parameter Name : Image
File Type : Text/html
File Content : My file
You can also pass the array as a parameter (or hash encryption parameter, as long as the server can parse it). You can also use/index. php? Id [1] = 0 to encode the array containing the value 0.
This encoding is often used to set up automatic requests for object ing. for example, the following request: user [name] = louis & user [group] = 1 will be mapped to a User object, which has a property name value of louis, another group property value is 1. automatic ing is sometimes attacked. by sending other property values, if the program does not protect this property, you may be able to change the property of that object. in our previous example, you can add a user [admin] = 1 to the request to see if you can obtain the admin permission.
From: 91ri.org

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.