Password blasting
Failure to adopt or adopt a weaker authentication security strategy, resulting in a higher "possibility" of being blasted
B/S brute force cracking
Use burpsuite to capture and crack the
account takeover case: https://xz.aliyun.com/t/6330
C/S brute force cracking
Cracking tools used Hydra, Bruter, X-scan
Explosion-proof method
1. The complexity of the password setting, length, multiple characters, special characters are not allowed, do not use
2. Add verification code
3. Limit the number of logins
Verification code security
The principle of the verification code realization function:
1. The client initiates a request
2. The server responds and creates a new SessionID and generates a random verification code.
3. The server returns the verification code and SessionID to the client.
4. The client submits the verification code together with the SessionID to the server.
5. The server verifies the verification code and destroys the current session at the same time. The result returned to the client
may be the following four In terms of design verification code
client, server, verification code itself, verification code process
Client problem
1. Use JavaScript to verify.
Use F12 to remove the verification code box and enter the correct user password to log in.
2. The verification code is stored in a cookie (Scenario: there is no verification code at the beginning, and when the user or password is entered incorrectly, it reaches k The verification code appears after the value).
Server-side problems
1. The verification code is not destroyed in time (php defaults to automatically destroy the verification code after 23 minutes).
Use the correct verification code to log in and capture the packet.
2. If there is no non-empty judgment, the
verification code can be empty or delete the cookie Value bypass
3. Use options
Fix the verification code to a certain option, and blast the
verification code itself several times .
Verification code process design problem
Use token value judgment
1. Enter the user password to capture packets, and the variables only retain the value and token to be blasted Value
2. Set the token variable to "recursive", get the token value from the response file, and set the value range
3. Attack
Actual combat (pkav)
1. Log in to the interface to capture the packet (burpsuite)
2. Put the package content into pkav, set the variable and add the mark, and add the verification code to the verification code mark
3. Set the verification code to be recognized according to the type
4. Set the replay option
5. The packet sender Send out