Business Security for Web Attack and Defense: Summary of Account Security Cases
Business security refers to measures or means to protect business systems from security threats. Business security in a broad sense should include the software and hardware platforms (operating systems, databases, middleware, etc.) that run the business, the business system itself (software or equipment), and the security of services provided by the business ; business security in the narrow sense refers to the business system’s own software. and service security .
directory :
Account security case summary:
Accounts and passwords are directly exposed on the Internet:
Unlimited login to any account:
Email Account Compromise Events:
Measures to prevent account leaks:
Disclaimer:
It is strictly forbidden to use the technology mentioned in this article to carry out illegal attacks, otherwise the consequences will be at your own risk, and the uploader will not bear any responsibility.
Account security case summary:
Summary of account security:
With the rapid development of the network, a wide variety of network applications have emerged, including instant chat tools (QQ, MSN), online stores, BBS forums, online games, etc. All kinds of applications require identity recognition, because identity authentication is the basic guarantee of network information security. The network server authorizes legally registered users through identity verification or access control. Users first become legal users of the network server through registration accounts and passwords. Only users who have passed identity authentication can access resources. Accounts and passwords are necessary for various website applications. At the same time, there are more and more security problems faced by account numbers and passwords.
Security issues related to accounts on the Internet are becoming more and more prominent. The related vulnerabilities of account security summarized include password disclosure, brute force cracking, weak passwords, password reset, login account bypass, replay attacks, phishing, information leakage, man-in-the-middle attacks, etc. .
Accounts and passwords are directly exposed on the Internet:
GitHub is a distributed version control system. Developers can upload the source code of the project. However, due to the lack of security awareness of developers, some sensitive information may be uploaded, including email account passwords, database configuration information, and administrators. passwords, backup files, important source codes, etc.
Various types of sensitive information can be flexibly searched through the search engine, and the search statement is as follows:
(1) Email configuration information query: site:Github.com smtp password
(2) Leakage of database information: site:Github.com sa password
(3) SVN information leakage: site:Github.com svn
(4) Database backup file: site:Github.com inurl:sql
(5) Sensitive file query: site:Github.com password
Unlimited login to any account:
Due to the uneven security protection methods of various applications, attackers can use loopholes to bypass login restrictions, or use authenticated users to log in to page accounts by modifying their IDs (capture packets when logging in and modify them to other people's account IDs to log in to others) account).
SQL Injection Vulnerability Can Bypass Login Restrictions
Due to the lax filtering at the login site of the website, there is an injection vulnerability. Using the universal password, you can successfully log in by bypassing the login restrictions.
(1) Enter in account number: (1) admin' or 1=1; (2) 1' or 1=1#
(2) Password: Enter whatever you like or leave it blank
Email Account Compromise Events:
The e-mail business is based on the information transmission business of computers and communication networks. It uses electrical signals to transmit and store information, and conveys various types of information such as electronic letters, documents, numbers, fax images and digital languages to users. The biggest feature of e-mail is that people You can receive/send text messages at any place and at any time, which solves the limitation of time and space, greatly improves work efficiency, and provides great convenience for office automation business activities. However, leakage of email accounts will also lead to a large amount of information leakage.
Search the internet for files via a search engine: filetype:xls
Man-in-the-middle attack:
A man-in-the-middle attack is when an attacker inserts into the direct communication between people. Between the two parties, the attacker thinks that they are still communicating directly with each other, but in fact the communication object of both parties has become the attacker, and the information has been obtained or tampered with by the attacker. The man-in-the-middle attack can not only capture HTTP unencrypted transmission data, but also Data encrypted by the HTTPS protocol can be captured .
HTTPS man-in-the-middle attacks are generally divided into attacks before the SSL connection is established and attacks during HTTPS transmission. Common HTTPS man-in-the-middle attacks first combine ARP , DNS spoofing, forged CA certificate and other technologies to intercept the session.
ARP spoofing actual combat: https://tianyuk.blog.csdn.net/article/details/123854709
SSL certificate spoofing attack
SSL certificate spoofing attack is to redirect the user's access to the attacker's device through techniques such as DNS hijacking , LAN ARP spoofing , or even gateway hijacking, allowing the user's machine to establish a connection with the attacker's machine, using a fake CA certificate, and the attacker's machine then Connect with the Web server, so that the attacker's machine establishes SSL connections with the user and the real server respectively . By forwarding data between these two connections, the mutual data content between the victim and the server can be obtained, but the user's browser will prompt that the certificate is not trusted, as long as the user does not click to continue, the hijacking can be avoided. So this is the simplest attack method, and it is also the easiest attack method to be seen through.
SSL hijacking
Replace all the HTTPS hyperlinks on the page with the HTTP version, so that users can always communicate in plain text. In real life, when users enter the domain name on the browser, they probably use the method of directly entering the URL, thus ignoring the website The adopted protocol type. HTTP transmits data in clear text, so if an SSL hijacking attack is used to downgrade a website with the HTTPS protocol to HTTP , sensitive data can be obtained.
Some websites do not all use the HTTPS protocol, but only use the HTTPS protocol when sensitive information transmission is required , such as login authentication, transmission of sensitive identity data, and so on. After the man- in - the -middle attacker hijacks the session between the user and the server, he replaces all HTTPS hyperlinks in the HTTP page with HTTP . When HTTPS connection is supported , a man-in-the-middle attacker can also establish an HTTPS connection with the service, and forward the data to the client using the HTTP protocol to achieve session hijacking. ( The SSLStrip tool can be used for hijacking )
Credential stuffing attack:
Crash stuffing is a hacker who collects leaked user and password information on the Internet, generates corresponding dictionary tables, and tries to log in to other websites in batches to obtain a series of combinations of user names and passwords that can be logged in. Because many users use the same password on different websites. account and password, so hackers can try to log in to website B by obtaining the account of the user on website A, which can be understood as a credential stuffing attack.
There is a risk of credential stuffing on a subsidiary website of a well-known company
Step 1: The official website of a well-known company has a verification code verification mechanism for user login, but there is a sub-site that does not limit the number of logins, so this sub-site can be used to carry out credential stuffing attacks, and then return to the main website after the sub-site is successfully verified to log in.
Step 2: Use the data packets captured by Burp Suite to conduct credential stuffing attacks through the intruder module. ( Brute force cracking )
Step 3: Using the effect of the subnet credential stuffing attack, return to the main website and try to log in.
Measures to prevent account leaks:
(1) Check the account and password storage methods in the database, encrypt user sensitive data by itself, strictly limit the access conditions of the database, and prohibit external connection to the database.
(2) The HTTPS protocol is used to seal and seal the account authentication process to ensure that the identity authentication process cannot be stolen.
(3) Strengthen the awareness of network information security. Network management personnel conduct security awareness training for internal employees, prohibit the use of weak passwords, prohibit the disclosure of personal account passwords, and regularly change passwords.
(4) Use digital certificate authentication. Digital certificates establish a strict identity authentication system by using cryptographic techniques such as symmetric or asymmetric cryptosystems, so as to ensure that information will not be stolen by others except the sender and receiver.
(5) Understand the Internet account leakage incidents, and notify customers to modify their personal account numbers and passwords as soon as there are account leakage incidents to avoid credential attacks.
(6) Strengthen the security protection capabilities of the website, regularly conduct security assessments and upgrades, and prevent attackers from using loopholes to obtain account information.
Books to learn: A Practical Guide to Web Attack and Defense Business Security.