Web security Seventh--the end of the test logical thinking: A large summary of logical vulnerabilities (ultra vires, Session logic, business logic, brute force)

0. Preface

It's been a while since I've been concentrating on web security for a while, but looking at the back is a bit complicated, involving more and more complex middleware, bottom-level security, vulnerability research, and security, so here's a series on web security basics and some flattering payload tips to keep it handy. is not the great God, the blog content is very basic, if someone really looks and is the Daniel, please do not spray me, welcome to correct my mistakes (limited level).

First, ultra vires:

1. Essence:

An account has permission to operate outside of the scope of its due authority.

2. Classification:

(1) The level of ultra vires: Horizontal has the same security level, classification and other measures to measure the rights of the standard account.

(2) Vertical ultra vires: Vertical has a higher security level, classification, such as the right to measure the standard account.

3, the General ultra vires location:

(1) Modify, reset, retrieve the other account password.

(2) To view and modify information not disclosed in other accounts, such as personal data, documents, data, programs, etc.

(3) Other permission actions that should be associated with the account.

4. Development-level reasons for ultra vires behavior and defense measures:

The operation involving user information needs to verify the user's identity, such as viewing various user information, not only according to the user UID to search, should be authenticated again. You can add unpredictable, non-guessing user information to a session or cookie, or a particularly sensitive operation should let the user enter password or other user authentication information again.

5, detection means:

(1) STEP1: To see if all sensitive operations involving the account are verified in addition to the UID, there is no way to construct UID access to check for vulnerabilities, where the UID refers to username, email, userid and other claimed account information.

(2) STEP2: If there are validation parameters, whether the attempt is predictable or can be guessed. No, there is no vulnerability, there is a vulnerability that constructs a request validation vulnerability.

Second, session logic:

1, session of the question:

(1) SessionID abbreviation SID, should be after the successful login to reset, generally stored in the cookie, Set-cookie reset can be. Failure to do so will result in session fixation attacks.

(2) SessionID should expire within a reasonable time, otherwise it will cause the session to remain an attack, that is, someone else uses cookies to log in as your identity.

Third, business logic:

　　

1. Payment Class Logic Vulnerability
(1) The modified product is negative (may increase the real or virtual wealth value of the attacker's account)
(2) Modify the unit price, total price, freight price (modified to negative, small, etc.) attackers gain benefits.
(3) Modify the Price field value to a string and attempt to attack the server exception by throwing a logic error, for example, the total price exception thrown is modified to 0.

2, information bombing class loopholes
(1) SMS bombing, e-mail bombing, private messages bombing.
(2) Where it may occur:
(2.1) Registration Verification Code acquisition (mail SMS)
(2.2) Registration activation email Acquisition (mail)
(2.3) Password retrieval verification (email SMS)
(2.4) Payment type information, verification code verification (SMS)
(2.5) Inside the station letter, the private message sends the place (private message, the station inside letter)
(3) test method: Catch send text messages, mail, private messages, the message of the station letter, and constantly replay.

3. Denial of service attacks against users
(1) Specify the target user and deny its service to attack.
(2) Logical vulnerability, authentication information multiple error attempts can cause users to be blocked.
(3) Location of the vulnerability: verification of the occurrence of any place (registration, payment, password retrieval, password modification, login, sensitive operation, etc.)
(4) test method: Replay the message of the error verification information.

Four, violent crack:

1, verification code.

2. Frequency trial and error control.

　　

　　

Web security Seventh--the end of the test logical thinking: A large summary of logical vulnerabilities (ultra vires, Session logic, business logic, brute force)