Vertical authority issues and testing methods
A vertical permission vulnerability means that the web application does not perform permission control, or only controls the permission on the menu, so that malicious users can access or control data or pages owned by other roles as long as they guess the URL of other pages, thereby achieving privilege escalation. Purpose.
In the process of business testing, it is necessary to design a security test case for this scenario and implement it: After user A logs in, open the browser NetWork to view all XHR network requests. After user B logs in, the request of A is repeated. If the operation can be performed properly, it means that the interface has a problem of unauthorized access. During the CR process, it is necessary to focus on observing the update, delete, and add interfaces.
Horizontal Authority Issues
A horizontal permission vulnerability means that when a web application receives a user request, it fails to determine the owner of the data, or when determining the owner of the data, it obtains the userid from the parameters submitted by the user, which leads to the attacker being able to modify the userid to modify the data that does not belong to him. The data. For example, the permissions of UserA and UserB are the same, but A can see the data of B, that is, the problem of horizontal authority violation has occurred.
In places where horizontal overreach is likely to occur, in addition to identity (session ID) identification, the site also uses other information (mobile phone number, employee code, job number or generated using the Hash algorithm) to identify users or user information. For example, getAccount.do?accId=12345, such interfaces are high-risk interfaces.
Usually, we use two test accounts to access the same URL to see if they can return the same data. If they can communicate with each other, it means that the back-end interface is for data isolation of the current user, and there is a horizontal permission problem. During the system function test process, design two test accounts, log in to the two test accounts at the same time, and compare whether there is any overlap in the data on the same page. During the CR process, pay attention to whether user attributes are added to the query interface as data isolation conditions.
Command injection/execution
Vulnerability principle: User input is regarded as/spliced into server commands, which are executed by the production network server, which leads to the user being able to execute arbitrary commands on the server, and even insert Trojan horses, anti-connection, privilege escalation and other risky operations;
Test method: STC security scan; for the interface that needs to execute the command, enter "cat /etc/passwd" or "| cat /etc/passwd" or other commands to see if the execution result of the command will be returned, as long as there is a command that can return The result of the execution is determined to be valid;
code injection/execution
Vulnerability principle: The code entered by the user is directly executed by the server, causing the user to execute arbitrary commands on the server, and even place risky operations such as Trojan horses, reverse connections, and privilege escalation;
Test method: security scan; for the interface that needs to execute the code, according to the code that can be executed, the code called by the server command is constructed for testing. If it can be executed normally, the vulnerability is valid;
SSRF (Server Side Request Forgery)
Vulnerability principle: The server proxy user unconditionally initiates a request to the URL entered by the user, and returns the response to the user. Users can fill in any IP and port of the intranet for intranet sniffing;
Test method: STC security scan builds a corresponding test HTTP server on a test server; fill in the test server address in the relevant business interface and submit it to check whether the test HTTP server has access records, and if so, it indicates that there is a loophole;
XXE (XML entity injection)
Vulnerability principle: The user uploads an XML file, and the server does not prohibit entity parsing when parsing, resulting in the URL in the schema being accessed, resulting in a risk similar to SSRF;
Test method: security scan: build a corresponding test HTTP server on a certain test server; construct a specific XML file, in which a schema URL is the address of the test HTTP server; upload the file on the XML upload interface, if you see the test server access record, then Vulnerable; Java business recommends scanning with Group Scanner
Deserialization Vulnerabilities
Vulnerability principle: read serialized strings from user-controllable locations (cookies, parameters), and perform deserialized code execution operations on the server side, because deserialized content can be written into arbitrary code, resulting in code injection execution
Test method: security scan; construct a serialized string of executable server commands, fill in the corresponding parameters/cookie to see if it can be executed successfully;
SQL injection
Vulnerability principle: The parameters entered by the user will be directly spliced into SQL statements to implement business logic. If the parameters are carefully constructed SQL statements, unexpected SQL execution will occur, such as dismantling the root password of SQL and further dragging the database
Test method: security scan; use sqlmap for sql injection scan;
JSONP hijacking
Vulnerability principle: When Jsonp provides data transmission across domains, it does not judge the access source, resulting in sensitive information in the interface that can be read by unauthorized parties;
Test method: security scan; capture packets through burpsuite, if you find that the user's personal ID/resource ID appears in the parameter or cookie, try to modify and replay the request, if it returns normal, there is a loophole
Arbitrary URL redirection
Vulnerability principle: The domain name of the URL for business redirection can be arbitrarily modified by the user (the redirection target url is in a certain parameter/cookie), thus jumping to a fake phishing website and guiding the user to enter sensitive information on the website, thereby
Test method: security scan; modify the jump target URL parameters, if it can jump, there is a loophole;
XSS (cross domain scripting attack)
Vulnerability principle: The content entered by the user is directly displayed on the web page without processing. If the user enters an executable js script, it will be executed directly, which may lead to the theft of session_id, csrftoken, and jsonp hijacking refer Defense failure, sensitive information pages under the same domain name are stolen, etc.
Test method: security scan; enter "< >' " &" in the input box, when the content of the input box is displayed on the page, check the source code of the page, if it is entered as it is, there is a loophole, if it is escaped as "<, >” and other html entities, it means that security protection has been done;
CSRF (Client Request Forgery)
Vulnerability principle: The path, method, parameters and other contents of the conventional http interface can be completely disassembled. Some people will forge some high-risk operation interfaces (such as likes, collections, and praises), and after disguising the interfaces (such as generating short links, two QR code) sent to other users to click, at this time, it is equivalent to doing some harmful operations without knowing it
Test method: security scan; use burpsuite to capture packets, delete the token in the parameter, or set it to empty, and replay the request. If the access is normal, there is a loophole;
SMS/Email/Phone Bomb
Vulnerability principle: SMS/telephone number and email address are filled in by the user, and messages and calls can be sent to them infrequently to harass the user;
Test method: security scan; use burpsuite to capture packets on the information sending interface, and use the repeater function to conduct batch access. If it succeeds every time, it means that there is no protection;
Login port blasting
Vulnerability principle: Improper login port design, missing/improper risk control strategy, user name and password blasting can be carried out
Test method: security scan; use burpsuite to construct a weak password dictionary, and use the repeater function to access the login interface
Network security learning resource sharing:
Zero-based entry
For students who have never been exposed to network security, we have prepared a detailed learning and growth roadmap for you. It can be said that it is the most scientific and systematic learning route, and it is no problem for everyone to follow this general direction.
At the same time, there are supporting videos for each section corresponding to the growth route:
Due to the limited space, only part of the information is shown, you need to click the link above to get it