Table of contents
reflective cross site scripting
This is a summary of some general security test cases, but security testing is far from the case, these use cases can only be regarded as an introduction! !
vulnerability scan
Definition: Scan the URL of the system for vulnerabilities, scan the open ports, services and existing vulnerabilities of the system
| Preconditions | step | result |
| Our company uses the NSFOCUS scanner | Log in to the scanner for WEB scanning | |
| Select WEB scanning in vulnerability scanning, and enter the URL address to be scanned | Check the scan report for vulnerabilities, among which high-risk and medium-risk vulnerabilities need to be fixed | |
| Check the scan report for vulnerabilities, among which high-risk and medium-risk vulnerabilities need to be fixed | 1. Confirm that both high-risk and medium-risk vulnerabilities have been repaired 2. After repairing the risk, be careful not to affect the normality of the original function of the system. It is recommended to do a functional regression test of the affected range to ensure that the system is normal |
|
| Periodic inspection | The same URL, scanned once in 3 months |
clear text transmission
Definition: Check whether the sensitive content in the system transmission process is plaintext & ciphertext
Scenarios where the system transmits sensitive information: login, registration, payment, password change
System sensitive information: login password, payment amount, registered mobile phone number, ID card, email address, etc.
| step | result |
| Capture packets in the scene of transmitting sensitive information | |
| Analyze whether the relevant sensitive fields in its data packet are plain text | Analyze whether the relevant sensitive fields in its data packet are plain text |
unauthorized access
Definition: Test whether the administrator and other user information can be obtained through the URL address
1. The URL addresses of sensitive directories such as admin, user, system, and pwd appear
2. Vertical overreach scenario : When there are multiple administrators with different permissions in the system, administrators with low permissions cannot access or operate resources managed by high-privileges
3. Horizontal unauthorized scenario: When there are multiple users who need to log in to the system, user A cannot access the resources of user B
| step |
| Check whether there are sensitive directories such as admin/user/system/pwd in the URL |
| Vertical override: 1. After logging in with a high-privileged administrator, access some of his unique resources, or perform some privileged operations, and record the interface information 2. After logging out, log in as a low-privilege user, and re-execute the interface recorded in step 1 to check whether the operation is successful |
| Horizontal override: 1. After logging in with user A, open the URL of the personal resource unique to user A or perform some modification operations, and record the interface information 2. After logging out, log in as user B, and re-execute the interface recorded in step 1 to check whether it can be accessed or the operation is successful. |
reflective cross site scripting
Definition: Test whether the system filters or diverts input to avoid risks caused by users through cross-site scripting attacks
Cross-site scripting attack scenarios: search box, input box, message, upload file
| step | result |
| After the URL address of the system, enter the test statement: <img src=x οnerrοr=alert(1)> <script>alert("1") </script>; |
Will there be a pop-up window |
| In the search box, input box, and message of the system, enter the test statement: ditto |
Input content such as messages, comments, announcements, etc. will be stored in the database Whether there will be a pop-up window when the front end views the corresponding content |
| In the upload file function, enter the test statement into the file to be imported: ditto |
File Upload
Definition: Test whether you can upload malicious pictures such as Trojan horses, viruses, pornographic pictures, etc.
| step | result |
| Generate a malicious test file, such as a txt document, with the content <img src=x οnerrοr=alert(1)> The file name should preferably be in English, such as test |
|
| Click the upload function, capture the packet and intercept the upload interface, and change the suffix of the uploaded file to an html file (access the html file) |
If the malicious statement can be executed normally, there is an error |
Unauthorized file download
Definition: Test whether the URL contains a file name or a file directory, try to submit parameter values to see if you can download or read file content in other directories
File download scenario: file download, file read function
Test url: url containing file name or file directory
| step | result |
| Perform a file download operation and find the file download path http://www.example.com/donwload.jsp?filename=test12789.pdf |
|
| 修改下载路径中的文件参数值,检查访问效果 http://www.exbugmpjsp?filename=test.pdf |
如果可以下载修改后的文件,则证明存在漏洞 |
| 修改下载路径,通过../对路径进行跳转尝试下载其他目录下的文件 http://www.example.com/donwload.jsp?filename=../../WEB-INF/web.xml |
如果可以下载web.xm文件,则有bug |
短信/邮箱验证
定义:测试短信、邮箱验证方式是否进行安全设置
触发短信、邮箱验证码验证相关的场景:找回或重置密码、注册、邀请注册、引流活动分享
| 步骤 | 结果 |
| 操作密码重置、找回密码等功能,触发跳转到输入手机号或邮箱的页面 |
|
| 输入测试手机号或邮箱,看能否一直连续无间隔 发送短信验证码,造成短信轰炸 |
短信轰炸若存在,及证明存在该漏洞,报BUG 触发短信、邮件发送的前提必须有安全验证(验证码、滑动验证等),防止短信被刷 |
| 如果有对应的验证设置,输入手机号、邮箱,同步开始抓包,查看数据包能否抓取到发送的验证码信息 |
如果可以抓取到,则验证码可以被修改,存在漏洞,报BUG |
鉴权缺失
定义:测试需要登录、鉴权才可操作的系统中可修改资源的相关接口,鉴权是否可靠
测试对象:可以修改资源的接口
| 步骤 | 结果 |
| 定义:测试需要登录、鉴权才可操作的系统中可修改资源的相关接口,鉴权是否可靠 测试对象:可以修改资源的接口 |
1、如果参数都是完全可以被预期的话。即除了鉴权的cookie 外,header中和body表单中的所有参数都可以被事先知道。那么表明存在漏洞。报BUG 2、如果header或者body中有随机的token或者需要验证码之类的,则不存在漏洞 |
| 抓包、分析接口的参数,观察鉴权参数,如cookie 或者access token等 |
1、如果观察cookie 或者access token,可掌握其规律,如为某固定单一不变的值或使用用户ID作为cookie 的值,会话控制信息可以被猜测,鉴权不可靠,表明存在漏洞。报BUG |
密码健壮性
定义:测试密码、验证码验证的方式是否可靠,是否可以被暴力猜测直至命中
| 步骤 | 结果 |
| 操作输入密码、验证码的场景,使用抓包工具,修改接口中的密码、验证码,多次尝试输入错误的验证码 |
可以被暴力猜测直至命中,则存在漏洞 |
| 使用工具重复请求接口(类似登录接口)多次(密码错误、验证码错误情况下、100次以上 |
使用工具重复请求接口(类似登录接口)多次(密码错误、验证码错误情况下、100次以上 |
| 检查密码设置、验证码生成的业务逻辑设计 |
1、若设置密码时就未考虑密码复杂程度,允许用户设置弱密码 (如设置账号必须满足数字+字母+特殊字符,8位以上。规避123456、aaaaaaa、qwerty等弱密码),用户账号安全可能存在漏洞,可反馈给研发进行整改,推进账号安全 2、若验证码生成逻辑简单,或者结果集合小,或为简单的图片验证,则可能存在漏洞,可反馈开发进行整改,尽量使用更安全的验证设计(如行为验证 ) |
| 对密码找回及修改密码功能,检查密码是否有权限管控,只能修改或设置自己的密码,规避通过该功能修改别人的密码 |
若可通过密码找回、修改密码、账号申诉等功能,修改其他人的账号密码,则存在漏洞,报BUG |
数据安全
定义:检查系统中敏感数据的存储是否安全
敏感数据:密码、身份证、家庭住址、银行卡号、手机号、真实姓名
| 步骤 |
| 检查敏感数据是否加密存储,检查对应的数据表(mysql、redis)数据记录,防止拖库后信息泄露 |
| 检查敏感数据在操作界面展示上是否脱敏 如:密码显示隐藏选项,手机号、身份证仅显示首尾等134****4250,220**********2129 |
| 检查数字设置安全,是否限制输入负数或超大数额 |
总结:
感谢每一个认真阅读我文章的人!!!
我个人整理了我这几年软件测试生涯整理的一些技术资料,包含:电子书,简历模块,各种工作模板,面试宝典,自学项目等。欢迎大家点击下方名片免费领取,千万不要错过哦。
