1. Vulnerability mining
1. Safe Cask Theory
find the weakest point;
- A site with one vulnerability, and it is likely that there will be more
Security awareness issues for developers;
- Vulnerabilities in one site may also exist in other sites
Business code reuse;
General vulnerability (wordpress plugin vulnerability, Discuz update is not timely);
- Not all bugs are fixed
Where to fix it;
bypass fix;
- Learn to find vulnerabilities that scanners can't scan / other white hats are hard to find
Requires deep interaction/authentication;
Storage XSS/CSRF/Urban/Logical Vulnerabilities;
- The process of finding vulnerabilities
Usually, it is necessary to find the dangerous function first, then backtrack the calling process of the function, and finally see whether the user has the possibility to control the input during the whole calling process;
- General ideas around waf
1). Preprocessing utilization: that is, trying to bypass the input validation of WAF, such as the processing of HTTP headers ( X-Originating-IP , XForwarded-For , X-Remote-IP , X-Remote-Addr ), which has been used many times. It is used to bypass the SQL injection protection of the company's WAF, or the tampering of the HTTP method header GET/POST, the processing of newline characters, etc.;
2). Mismatch caused by blocking: The difference in data processing between the front and back ends makes it impossible to match the rules in the blacklist, which is usually bypassed by combining some parameter pollution, character encoding, comments and other methods;
3). Rule set bypass: Enumerate the interception rules of WAF by brute force, or reverse the WAF program to obtain the rules, and then try to bypass it.
- Permissions and bypass ideas
2. Commonly used browser plug-ins
- Firebug
Powerful website debugging tool, and can be used to simply capture packets
- Tamper data
Packet capture modification function
- Hackbar
A tool for manual testing of SQL injection/XSS, with coding function
- LiveHttpHeader
Packet capture tool, easy to use, often used to test CSRF
Three, commonly used WEB security tools
1.AWVS
A versatile web security vulnerability scanner with many useful tools
If the computer itself needs to access the external network through a proxy, you also need to set the application settings–application updates to set the proxy server
2.xray
- 1. xray manual
xray is a powerful security assessment tool, created by a number of experienced front-line security practitioners, the main features are:
The detection speed is fast. The packet sending speed is fast; the vulnerability detection algorithm is efficient.
Wide range of support. It can support everything from OWASP Top 10 general vulnerability detection to various CMS framework POCs.
Code quality is high. The personnel who write the code are of high quality, and the reliability of the code is improved through multi-layer verification such as Code Review, unit testing, and integration testing.
Advanced customizable. Various parameters of the engine are exposed through the configuration file, and functions can be greatly customized by modifying the configuration file.
No threat to safety. xray is positioned as a security auxiliary assessment tool, not an attack tool, and all built-in payloads and pocs are harmless checks.
Link with Burp
payload: webscan --listen 127.0.0.1:7777 --html-output xray-testphp.html
awvs cooperates with xary
awvs scan directory
xray and awvs crawler linkage
webscan --listen 0.0.0.0:1111 --html-output awvs.html
3. NetSparker
Vulnerability scanner with good effect on SQL injection, XSS, LFI and other vulnerability scanning
4.AppScan
5. BurpSuite
Comprehensive functions, commonly used for brute force, packet capture, CSRF testing, etc.
You need to set the browser proxy to 8080 to capture data packets. To capture https packets, you need a browser to visit http://burp to download the certificate and import it.
Sometimes the computer itself needs to set a proxy to access the external network, you need to set Burp options–connections–upstream proxy servers
On the mobile phone, set the WIFI proxy as the IP and port that the computer burp listens to. On the mobile phone, visit http://burp and click CA Certificate to download the certificate to cacert.der on the mobile phone.
Change the suffix to .cer to install, Huawei mobile phones need to be installed as VPN application support to resolve https
- Layer
Subdomain/IP segment collection, while filtering out surviving hosts
- Fiddler
Commonly used packet capture tools, there are XSS automatic scanning plugins
Open fiddle, by default, the proxy of the browser will be set to the port 8888 monitored by fiddle, and fiddle will export from the system proxy (you can also set a proxy yourself such as http=10.2.2.1:80) to go out; you need to set it to intercept data package, otherwise just a snapshot.
Note: The http/https request sent by the PC-side software will also be captured, but the private protocol (ie, the application layer custom packet body) cannot be captured. You can use wireshark to capture such packets.
There are two situations for http/https requests issued by client software. A similar type of embedded browser to parse html, execute js events, etc., such as a function point, some keywords for this function point can be searched in the original page (capture) that comes in, which are often embedded in the browser. Execute js to complete this function, directly copy the entry page to the browser for access, and then console search for the keyword.
The other is the server-side cgi directly requested by the client, which cannot find the keyword of the function point in the original page that comes in (even without an entry).
6.Sqlmap.py
Database injection artifact
- owasp Vulnerability Scanning Collection
Vulnerability_Scanning_Tools
7.Nessus
