With the advent of the 5G era, the business development of many companies is increasingly inseparable from the Internet. For example, the New Year's five-fortune-collection activities, the annual 618, Double Eleven, and Double Twelve promotion activities of e-commerce giants, or leisure games, food retail, etc., are all in the Internet ecosystem.
It is precisely that more and more people have become members of the Internet. In order to make money for themselves, many hackers use methods such as attacking web servers to intercept other people's information. There are also many ways of attack. Common ones include SQL injection, cross-site scripting, cross-site request forgery, and buffer overflow.
Therefore, on the one hand, we need to strengthen the construction of network security, and focus on security when building web pages; on the other hand, we must fully understand the network bugs, understand the possible attack points of hackers, and improve our own Only at the level of business can assist developers to jointly maintain network security.
So, what are the common network problems in daily life? Today we will discuss it together.
1. SQL injection problems
In Web security testing, SQL injection is the most common method. It mainly means that the attacker cleverly constructs illegal SQL query commands, inserts the form or request string and submits it, and obtains the desired data according to the returned result. This is SQL injection.
SQL injection methods generally include guessing and shielding. The guessing method is mainly to guess the table name and column name that may exist in the database, and obtain the information of the data table according to the combined SQL statement. The shielding method mainly uses the inaccuracy of SQL input to perform logical verification, so that the SQL verification result is always true, thereby bypassing the purpose of verification.
2. Cross-site scripting attacks
Cross-site scripting (XSS for short) is an attack technique that forces a Web site to echo executable code.
When the Web site returns, the attacker will re-provide executable code. Under normal circumstances, they will insert malicious Script code into a Web page. When the user browses the page, the embedded Script code will be executed, thereby attacking the end user.
The most common attack methods for XSS are reflected XSS and stored XSS. Among them, reflected XSS, also known as non-persistent cross-site scripting attacks, is also the most common XSS attack method.
The storage XSS is different. It is a persistent cross-site scripting attack, and it is also the XSS that most directly harms users. When the attacker stores the attack code in the server, the user only needs to open the corresponding page to trigger the automatic execution of the XSS code.
3. Cross-site request forgery issues
Cross-site request forgery (CSRF for short) is a malicious use of a website. It uses trusted websites by disguising requests from ordinary users. Compared with XSS attacks, CSRF attacks are often difficult to prevent because they are less popular. Therefore, we believe that CSRF is often more dangerous than XSS.
4. Buffer overflow problem
Buffer overflow is a very common vulnerability, which is widely present in various operating systems and application software.
The use of buffer overflow attacks can cause programs to fail, shut down the system, restart, and other behaviors, or execute the attacker's instructions, such as illegally elevating privileges.
In the buffer overflow, the most dangerous thing is the stack overflow. It can use the stack overflow to modify the address of the program to any address the attacker wants when the function returns to achieve the attacker's goal. The most typical example is the worm that used the fingerd vulnerability to attack in 1988.
So, what are the feasible ways to solve these page attack problems?
1. Regarding SQL injection issues
For guessing and shielding, they are the most basic and simplest method of SQL injection. During the test, we need to pay attention to the naming rules and the blocking of keywords. In addition, we also need to constantly sum up experience in our work, and learn more about guessing ideas and blocking methods.
2. About cross-site scripting attacks
Regarding reflective XSS, generally only by clicking on the link ourselves can we trigger the XSS code injected by the attacker. The solution in this way is: be careful.
The storage XSS is different. This kind of XSS is more dangerous, prone to hazards such as worms and theft of user cookies. When doing this kind of problem test, you must have a certain understanding of the code of the program, especially to check the sensitive symbols in the program, such as: "/, ".", "'", "'", "<" , ">", "? "Etc. Check whether these special characters are used in violation of regulations, or check whether there are restrictions on database fields, database types, and lengths, etc., which have not been processed.
3. About cross-site request forgery
The simple way to judge whether there is a CSRF vulnerability is to grab the normally requested data packet, then remove the Referer field, and then resubmit. If the second submission is still valid, it means that there is a CSRF vulnerability.
In order to prevent CSRF, the commonly used method is to add Token to the AJAX asynchronous request address and verify it, thereby reducing the possibility of CSRF.
4. Buffer overflow problem
In fact, there are many reasons for buffer overflow. The main reason is that there are no restrictions on the size, length, and format of the input and output data, and there is no exception handling for the user's special operations.
Therefore, in the testing process, we need to pay attention to the size and length of the input and output and the format specification restrictions, as well as the need to simulate some exceptions, and pay attention to the handling of exceptions.
For web application software, security includes the security of web servers, databases, operating systems, and networks. As long as any one of them has a security breach, it will cause the security of the entire system. Web security testing is a more difficult problem to solve, which depends on the extent of the test. Simply put, it is impossible for software to be 100% tested, so don't expect to be 100% safe.
Finally, I sincerely hope that our test experts can continuously improve their business level and protect the private data of Internet users.
Finally: a wave of software testing data sharing!
In the technology industry, you must improve your technical skills and enrich your practical experience in automation projects. This will be very helpful for your career planning in the next few years and the depth of your test technology mastery.
In the interview season of the Golden 9th and the Silver 10th, the season of job-hopping, organizing interview questions has become my habit for many years! The following is my collection and sorting in recent years, the whole is organized around [software testing], the main content includes: python automation test exclusive video, Python automation details, a full set of interview questions and other knowledge content.
May you and I meet and you will find something! If you want to exchange experience in software testing, interface testing, automated testing, and interviews. Follow WeChat public account:[Sad Spicy Strips]Receive a 216-page software test engineer interview book for free. And the corresponding video learning tutorials are free to share! Communication learning skirt:313782132
Recommend good articles:
What exactly should I learn in automated testing?
Which is more advanced, automated testing or manual testing?
Novice must see: How to write a qualified test case?
Python login interface test problem record and solution (dry goods)