Business Security for Web Attack and Defense: Interface Call Replay Test. (Two clicks have multiple order effects)

Language 2023-04-16 22:08:23 views: null

Business Security of Web Attack and Defense: Interface Call Replay Test.

Business security refers to measures or means to protect business systems from security threats. Business security in a broad sense should include the software and hardware platforms (operating systems, databases, middleware, etc.) that run the business, the business system itself (software or equipment), and the security of services provided by the business ; business security in the narrow sense refers to the business system’s own software. and service security .

Table of contents:

Captcha bypass test:

Test principle and method:

Testing process:

Step 1: Capture the data packet in the link of purchasing tickets and submitting orders.

Step 2: Use the Burp Suite tool to perform a replay test on the data packets that generate the order.

Step 3: View the returned results, and the order will be generated repeatedly within one minute.

Repair suggestion:

Disclaimer:

It is strictly forbidden to use the technology mentioned in this article to carry out illegal attacks, otherwise the consequences will be at your own risk, and the uploader will not bear any responsibility.

Captcha bypass test:

Test principle and method:

In the process of invoking business by SMS or email or generating business data, such as SMS verification code, email verification code, order generation, comment submission, etc., the call replay test is carried out on the business link. It can be judged that there is an interface call replay problem based on business or data results.

Testing process:

When performing the interface call replay test, the difference between an attacker and an ordinary user is that he uses the tool Burp Suite to capture packets, capture order requests, and then request multiple times in a short period of time through the Burp Suite tool Repeater (replayer) Replay, the server will perform multiple effective operations in a short time according to the request.

Step 1: Grab the data packet in the process of purchasing tickets and submitting orders.

Step 2: Use the Burp Suite tool to replay the data packet that generates the order. ( Right click and select   DO intercept >> Response to this request  )

Step 3: View the returned results, and the order will be generated repeatedly within one minute.

Repair suggestion:

(1) A verification code mechanism is adopted for the order generation link to prevent the generated data business from being maliciously invoked.

(2) Each order uses a unique Token. After the order is submitted once, the Token becomes invalid.

     

    

Books to learn: A Practical Guide to Web Attack and Defense Business Security.

Guess you like

Origin blog.csdn.net/weixin_54977781/article/details/130066585
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com