Web intrusion Mainstream approach

One, weak password hack
Weak passwords are ubiquitous in life, such as the password is 123456,12345678,88888888,66666666,123ABC and the name is full pinyin and the default password root,admin and empty, and so on, here is the software application of the weak password, that is, our common site, Use a computer or mobile phone to open the browser or the app can browse a variety of sites, most of which are user login portal or management login portal, to log in to enter the user name and password, some also need to enter a verification code, there are digital pictures and sliding verification and SMS verification, In fact, can be divided into no verification code and have a verification code, it is clear that there is no verification code compared with the verification code of the site is more likely to be cracked weak password, if there is a weak password case. Common weak password cracking mode:
1, manually try to enter login
2, use the tool enumeration. For example, the famous Burpsute, as for the use of the method I do not list, and later will be free to write

Second, use the components of known vulnerabilities
Applications that use components with known vulnerabilities can disrupt application defenses and can result in severe data loss or server takeover.
For example, the PHP language of the Thinkphp,phpstudy,java language framework struts, Windows Iis,nginx, Jboss,mapreduce and so on a series of components have been a loophole, Typically, these components, if not fixed vulnerabilities, are vulnerable components, as long as hackers use a little bit to invade the site or even control the host.

Third, SQL injection
SQL injection has always been compared to hackers favored by the intrusion method, not only easy to use, and most of the dynamic site will have a database interaction with the action, once filtering and protection is not strict, can be constructed via HTTP request injection statement. For example, a Web site has a URL that is http://xxx.gov.cn/xxx.php?id=7 access to the URL through a browser
Can get a page, in fact, this access action in the database operation statement is like this: SELECT * from table where id=7; If the request is not filtered or unprotected, we will change the request to Http://xxx.gov.cn/xxx.php?id=7and 1=2 Union SELECT COUNT (*) from Information_schema.tables; At this point will be injected, of course, this will certainly be injected into the failure, should be the obvious illegal request, normal users will not construct such a statement, so naturally escaped site security monitoring application or code filtering, but we can change a way, Avoid monitoring and filtering by UrlEncode the following statements or by using Base64 encryption or by using Unicode encoding and so on.

Four, XSS
Everyone may think that XSS is the window, in fact, the window is just testing the existence of XSS and usability.
XSS means cross-site scripting, the vulnerability is also frequently found in various web sites, the use of this vulnerability to exploit the attack to obtain a cookie is also present, but this kind of intrusion is somewhat passive than the previous three. Examples of cookies that use XSS monitoring administrators online should be found. This technique requires mastering the js,html language, requiring a good time and, more importantly, relying on luck. As for why this is not discussed here, the details can be discussed in several pages.

Five, failed authentication and session management
If the application features associated with identity authentication and session management are not properly written, then an attacker could steal a session token, break the password authentication impersonate another user, or even intercept a password to log in and perform any legitimate operation as that user. For example:
1, change the password is too simple, relying on the session IP address only one step change;
2, no session timeout limit;
3, forget the password after the logic is too simple to retrieve the function;
I remember some time ago I found a unit in the vulnerability, you can use Burpsute easily cracked site administrator login password.

VI, CSRF
CSRF refers to forged cross-site requests, a bit like XSS cross-site scripting. The full name of CSRF is "cross-site request forgery", and the full name of XSS is "cross-site scripting". Look a bit similar, they are all cross-site attacks-do not attack the server side and attack normal access to the site users, but said earlier, their attack type is different dimensions of classification. CSRF as the name implies, is a forgery request, impersonating the user in the station normal operation. We know that the vast majority of websites use cookies to identify users (including websites using server-side sessions, where session IDs are mostly stored in cookies), and then authorize them. Therefore, in order to forge the normal operation of the user, the best way is to enable the user to initiate a request that the user does not know by means of XSS or link spoofing, such as the browser side of the identity cookie.
Strictly speaking, CSRF cannot be classified as an injection attack, because the CSRF approach is far more than the XSS injection. CSRF is easy to achieve through XSS, but for poorly designed sites, a normal link can cause CSRF.
If a forum post is implemented by a GET request, the JS code posts the content into the target URL and requests it after clicking on it. For example, the stitching URL is http://xxx.com/bbs/createitem.asp?title= title &content= content
So I just need to send a post in the forum, including links http://xxx.com/bbs/createitem.asp?title= How to use xxx&content= quick action
As long as a user clicks on the link, their account will be released without the knowledge of this post. Maybe it's just a prank, but since the request for a post can be forged, the deletion, transfer, password change and email can all be forged.

Web intrusion Mainstream approach