0x00 Index Description
6.30 Sharing in OWASP, about the vulnerability detection model of business security. Further extension of science.
0x01 Identity Authentication Security
1 Brute-force cracking
Where there are no captcha restrictions or where one captcha can be used multiple times, brute force passwords with known users or brute force users with a common password. Simple verification code blasting. URL: http://zone.wooyun.org/content/20839
some tools and scripts
Burpsuite
htpwdScan Credential stuffing blasting must-have URL: https://github.com/lijiejie/htpwdScan
hydra source code installation xhydra supports more protocols to blast (can break WEB, other protocols do not belong to the scope of business security)
2 session & cookie类
Session fixation attack: Use the server's session invariance mechanism to obtain authentication and authorization through the hands of others, and impersonate others. Case: WooYun: Sina Guangdong Cuisine's backend verification logic loophole, log in directly to the backend, and 566764 user data are exposed!
Cookie spoofing: Modify a parameter in the cookie to log in to other users. Case: Login with any account of Yiyun Advertising Platform WooYun: Login with any account of Yiyun Advertising Platform
3 Weak encryption
HTTPS is not used, it is a functional test point, and it is not easy to use.
Front-end encryption, use ciphertext to check the background, and use smart decode to solve
0x02 Business Consistent Security
1 Phone number tampering
a) Capture packets and try to modify the mobile phone number parameters to other numbers. For example, on the query page, enter your own number and then capture packets, modify the mobile phone number parameters to other people's numbers, and check whether you can query other people's services.
2 Email or user tampering
a) Capture packets and modify user or mailbox parameters to other users or mailboxes
3 Order id tampering
a) Check your own order id, and then modify the id (plus or minus one) to see if you can view other order information.
b) Case: WooYun: Guangzhang Travel Agency can access user orders arbitrarily
4 Item number tampering
a) For example, at the point exchange office, 100 points can only be exchanged for the product number 001, 1000 points can only be exchanged for the product number 005, when 100 points are exchanged for the product, the number of the exchanged product can be changed to 005, and the low points can be exchanged District high point products.
b) Case: A payment vulnerability in a Lenovo points mall and then bypassing WooYun: A payment vulnerability in a Lenovo points mall and then bypassing
5 User id tampering
a) Capture the package to check your own user id, and then modify the id (plus or minus 1) to see if you can view other user id information.
0x03 Business data tampering
1 Amount data tampering
a) Capture and modify fields such as the amount, for example, grab the amount field of the product in the request on the payment page, modify it to any amount and submit it, and check whether the business process can be completed with the modified amount data. b) Case: WooYun: 12308 The total price is not verified when the order is paid (payment logic vulnerability)
2 Commodity quantity tampering
a) Capture the package and modify fields such as the quantity of goods, modify the quantity of goods in the request to any amount, such as a negative number, and submit it to see if the business process can be completed with the modified quantity. b) Case: WooYun: Weilan group payment logic loophole (negative payment possible)
3 Maximum number limit breach
a) When many products limit the number of products purchased by the user, the server only limits the number of products on the page through js script, and does not verify the number submitted by the user on the server side, modify the maximum number of products by capturing packets, and change the number of products in the request to be greater than the maximum number The value of the limit to see if the business process can be completed with the modified quantity.
4 Local js parameter modification
a) Some applications process requests submitted by users through Javascript, and by modifying Javascript scripts, test whether the modified data affects users.
0x04 User Input Compliance
1 Please refer to http://wiki.wooyun.org/web:sql for injection test
2 XSS测试 请参考http://wiki.wooyun.org/web:xss
3 Fuzz
a) 功能测试用的多一些,有可能一个超长特殊字符串导致系统拒绝服务或者功能缺失。(当然fuzz不单单这点用途。)
b) 不太符合的案例,但思路可借鉴: WooYun: 建站之星模糊测试实战之任意文件上传漏洞
c) 可能会用的工具 —— spike
4 其他用用户输入交互的应用漏洞
0x05 密码找回漏洞
1 大力推荐BMa的《密码找回逻辑漏洞总结》
http://drops.wooyun.org/web/5048
a) 密码找回逻辑测试一般流程
i. 首先尝试正常密码找回流程,选择不同找回方式,记录所有数据包
ii. 分析数据包,找到敏感部分
iii. 分析后台找回机制所采用的验证手段
iv. 修改数据包验证推测
b) 脑图 (详情请参考BMa的《密码找回逻辑漏洞总结》)
0x06 验证码突破
验证码不单单在登录、找密码应用,提交敏感数据的地方也有类似应用,故单独分类,并进一步详情说明。
1 验证码暴力破解测试
a) 使用burp对特定的验证码进行暴力破解
b) 案例: WooYun: 盟友88电商平台任意用户注册与任意用户密码重置漏洞打包
2 验证码时间、次数测试
a) 抓取携带验证码的数据包不断重复提交,例如:在投诉建议处输入要投诉的内容信息,及验证码参数,此时抓包重复提交数据包,查看历史投诉中是否存在重复提交的参数信息。
b) 案例:
3 验证码客户端回显测试
a 当客户端有需要和服务器进行交互,发送验证码时,即可使用firefox按F12调出firebug就可看到客户端与服务器进行交互的详细信息
4 验证码绕过测试
a) 当第一步向第二步跳转时,抓取数据包,对验证码进行篡改清空测试,验证该步骤验证码是否可以绕过。
b) 案例: WooYun: 中国电信某IDC机房信息安全管理系统设计缺陷致使系统沦陷
5 验证码js绕过
a) 短信验证码验证程序逻辑存在缺陷,业务流程的第一步、第二部、第三步都是放在同一个页面里,验证第一步验证码是通过js来判断的,可以修改验证码在没有获取验证码的情况下可以填写实名信息,并且提交成功。
0x07 业务授权安全
1 未授权访问
a) 非授权访问是指用户在没有通过认证授权的情况下能够直接访问需要通过认证才能访问到的页面或文本信息。可以尝试在登录某网站前台或后台之后,将相关的页面链接复制于其他浏览器或其他电脑上进行访问,看是否能访问成功。
2 越权访问
越权漏洞的成因主要是因为开发人员在对数据进行增、删、改、查询时对客户端请求的数据过分相信而遗漏了权限的判定
a) 垂直越权(垂直越权是指使用权限低的用户可以访问权限较高的用户)
b) 水平越权(水平越权是指相同权限的不同用户可以互相访问)(wooyun-2010-0100991 PHPEMS多处存在水平权限问题)
c) 《我的越权之道》URL:http://drops.wooyun.org/tips/727
0x08 业务流程乱序
1 顺序执行缺陷
a) 部分网站逻辑可能是先A过程后B过程然后C过程最后D过程
b) 用户控制着他们给应用程序发送的每一个请求,因此能够按照任何顺序进行访问。于是,用户就从B直接进入了D过程,就绕过了C。如果C是支付过程,那么用户就绕过了支付过程而买到了一件商品。如果C是验证过程,就会绕过验证直接进入网站程序了。
c) 案例:
WooYun: 万达某分站逻辑错误可绕过支付直接获得取票密码
http://wooyun.org/bugs/wooyun-2010-0108184
0x09 业务接口调用安全
1 重放攻击
在短信、邮件调用业务或生成业务数据环节中(类:短信验证码,邮件验证码,订单生成,评论提交等),对其业务环节进行调用(重放)测试。如果业务经过调用(重放)后被多次生成有效的业务或数据结果
a) 恶意注册
b) 短信炸111弹
在测试的过程中,我们发现众多的金融交易平台仅在前端通过JS校验时间来控制短信发送按钮,但后台并未对发送做任何限制,导致可通过重放包的方式大量发送恶意短信
2 内容编辑
类似案例如下:
点击“获取短信验证码”,并抓取数据包内容,如下图。通过分析数据包,可以发现参数sendData/insrotxt的内容有客户端控制,可以修改为攻击者想要发送的内容
将内容修改“恭喜你获得由xx银行所提供的iphone6一部,请登录http://www.xxx.com领取,验证码为236694”并发送该数据包,手机可收到修改后的短信内容,如下图:
0x10 时效绕过测试
大多有利用的案例发生在验证码以及业务数据的时效范围上,在之前的总结也有人将12306的作为典型,故,单独分类。
1 时间刷新缺陷
12306网站的买票业务是每隔5s,票会刷新一次。但是这个时间确实在本地设置的间隔。于是,在控制台就可以将这个时间的关联变量重新设置成1s或者更小,这样刷新的时间就会大幅度缩短(主要更改autoSearchTime本地参数)。 案例:
2 时间范围测试
针对某些带有时间限制的业务,修改其时间限制范围,例如在某项时间限制范围内查询的业务,修改含有时间明文字段的请求并提交,查看能否绕过时间限制完成业务流程。例如通过更改查询手机网厅的受理记录的month范围,可以突破默认只能查询六个月的记录。
0x11 参考
@eversec
应用程序逻辑错误总结 http://drops.wooyun.org/papers/1418
密码找回功能可能存在的问题 http://drops.wooyun.org/papers/287
密码找回功能可能存在的问题(补充) http://drops.wooyun.org/web/3295
密码找回逻辑漏洞总结 http://drops.wooyun.org/web/5048
Three Common Types of Payment Vulnerabilities - Hardening Solutions http://zone.wooyun.org/content/878
Summary of Online Payment Logic Vulnerabilitieshttp://drops.wooyun.org/papers/345
Common Security Vulnerabilities and Defenses of Financial Industry Platformshttp://www.freebuf.com/news/special/61082.html
My ultra vires http://drops.wooyun.org/tips/727
Security Science: Watch the video to understand the TOP10 web application security vulnerabilities (IBM internal video) http://www.freebuf.com/vuls/63426.html