[Web Penetration Testing] - Web Vulnerability
Vulnerability Exploitation Scenario
CTF, SRC, red-blue confrontation, actual combat, etc.
Vulnerability hazards
SQL injection: You can get database permissions and get the data in the database
File upload: directly obtain website permissions
XSS cross-site: obtain website background permissions
Vulnerability classification
High risk: data security and loss of permissions, SQL injection, file upload, file inclusion, code execution, unauthorized access, command execution
Moderate risk: some effects, deserialization, logical security
Low risk: a small amount of information is leaked, the information does not refer to data, but the source code of the website, some account passwords, and the impact is not large, XSS cross-site, directory traversal, file reading
Vulnerability highlights
CTF: file upload, SQL injection, deserialization, code execution, especially deserialization
SRC: almost all of them can appear, and there are more logical security in specific targets
Red and blue confrontation: basically high-risk vulnerabilities, file upload, file inclusion, code execution, command execution
Vulnerability situation issues
If the loophole cannot be found, it may be that the information collection is not in place; the tool is not suitable;