01 SMS Bomb
1. Vulnerability description
SMS bombing attack is a common attack. The attacker uses the function of sending SMS verification code provided in the website page to obtain the sent data packet and replay it. If the server SMS platform does not verify When the situation occurs, the system will keep sending text messages, which creates a vulnerability of text message bombing.
2. Penetration testing
Manually find the relevant website registration page, authentication page, whether there is a text message sending page, and if so, proceed to the next step.
By using burp or other packet capture and truncation tools, capture the data packets sending the verification code, and perform a replay attack to check whether the mobile phone has received more than 10 text messages in a short period of time. If a large number of text messages are received, it means that there is such a problem loophole.
3. Risk Rating
Bombing any mobile phone number can be judged as high risk
Only the bombing of the current mobile phone number or a single mobile phone number can be restricted, but the mobile phone number can still be sent continuously, which is judged as low risk.
4. Safety advice
Reasonably configure the function of the background SMS server. For the same mobile phone number, the number of sending the same verification shall not exceed 5-10 times, and the sending time interval shall be limited.
When sending more than a certain number of times (can be 0), add verification code verification.
02 mail bomb
1. Vulnerability description
The application system does not limit the number and frequency of sending emails, resulting in a large number of emails being sent to recipient mailboxes in a short period of time, resulting in a large amount of spam.
2. Penetration testing
Manually find the relevant website registration page, authentication page, whether there is an email sending page, and if so, go to the next step
By using burp or other packet capture and truncation tools, capture the data packets sent by email, and perform a replay attack to check whether the mailbox has received more than 10 emails in a short period of time. If a large number of emails are received, this vulnerability exists
3. Risk Rating
Any mailbox can be bombed, and it is judged as high risk.
Only the current mailbox can be bombed, and it is judged as low risk.
4. Safety advice
Reasonably configure the function of the background mail server. For the same mailbox, the number of sending the same verification shall not exceed 5-10 times, and the sending time interval shall be limited.
When sending more than a certain number of times (can be 0), add verification code verification.
03 Directed SMS forwarding
1. Vulnerability description
SMS recipients can be arbitrarily designated
2. Penetration testing
Intercept the request to send a text message, change the mobile phone number to the tester's mobile phone number, and test whether the SMS verification code can be received.
3. Risk Rating: High Risk
4. Safety advice
When sending a text message, the mobile phone number is obtained from the current session, avoiding incoming from the front end
The user's mobile phone number cannot be changed at will, and an authentication process is required.
04 Mail can be forwarded in a targeted manner
1. Vulnerability description
The recipient of the mail sent by the application system can be arbitrarily designated by the client
2. Penetration testing
Intercept the request to send emails, change the recipient's email address to the tester's email address, and test whether the email can be received.
3. Risk Rating: High Risk
4. Safety advice
When sending mail, the mailbox is obtained from the current session, avoiding incoming from the front end
The user's mailbox cannot be changed at will, and an authentication process is required.
05 Any user password modification/reset
1. Vulnerability description
The password of any account can be modified/reset by tampering with the user name or ID, brute force cracking the verification code, etc.
2. Penetration testing
The steps of password modification are generally to first verify whether the user's original password is correct, and then ask the user to enter a new password.
There are roughly three ways to bypass the password modification mechanism:
If the interface for entering a new password can be directly accessed, the password can be changed directly without knowing the original password. Usually, the password of another person can be changed arbitrarily after knowing the user name of the other person.
If the system does not verify the identity of the user who changed the password, the attacker can successfully change the password of another person by entering the password and changing the user name or user ID to someone else's when submitting a password change request.
When changing the password, the system requires email or SMS confirmation, but the application does not verify the email address and mobile phone number entered by the user, then the attacker fills in his own email address or mobile phone number to receive the link and verification code to modify the password, thereby modifying the password. other people's passwords.
There are two main ways to bypass the password reset mechanism:
Obtain the link to reset the password through normal means, and guess the structure and content of the link (such as the user name or the MD5 value of the timestamp). In the case of knowing other people's email addresses, construct a link to reset other people's passwords.
In the case of knowing the mobile phone number of another person, reset the password of the other person through exhaustive mobile phone verification codes.
3. Risk Rating: High Risk
4. Safety advice
Fill in the verification information (original password, new password, etc.) at one time and then submit the request to change the password
For the request to modify the password submitted by the client, the identity of the requested user should be verified against the identity of the currently logged-in user to determine whether the user has the right to modify the password
When using a mobile phone or email for verification, it must correspond to the user who changed the password one by one, and the verification code is only valid once, and it will become invalid after verification to avoid brute force cracking
When the original password is verified, limit the number of incorrect input of the original password to prevent attackers from brute force cracking the original password
The key information in the reset password link should be randomized and unpredictable (such as the token mechanism), and it is forbidden to return the key information to the client
06 SSO Authentication Flaws
1. Vulnerability description
There are flaws in SSO authentication, which can log in to other people's accounts without authorization.
2. Penetration testing
Lack of security guarantee for information transmission
During the SSO authentication communication process, most of the sensitive information is transmitted in clear text, which is easy to be stolen, resulting in the leakage of important information. In addition, in most scenarios during the communication process, the key information is not signed, which is vulnerable to masquerading attacks
Exploiting Security Flaws of Web Services
Since single sign-on is basically implemented based on Web services, there are inevitably security flaws in Web services, such as cross-site scripting attacks, unauthorized attacks, etc.
3. Risk Rating: High Risk
4. Safety advice
It is recommended to use the HTTPS protocol for transmission without affecting the business
Strictly verify the user identity in the SSO authentication process
Filter the parameters passed in by the user, and escape or shield special symbols
07 ultra vires
1. Vulnerability description
Unauthorized access, this type of vulnerability refers to the flaws in the application's authorization (Authorization) check, so that after the attacker obtains a low-privilege user account, he can use some methods to bypass the permission check, access or operate to the original high-privilege access Function. In the actual code security review, such vulnerabilities are often difficult to detect automatically through tools, so they are very harmful in practical applications. It is somewhat different from unauthorized access.
2. Penetration testing
Log in to the system as super administrator admin (high authority user)
Find a link that only has supermanage (high authority) functions, such as: "http://localhost/userManage/userList.do", display all users, and copy this link.
Log in to the system as an ordinary user, enter: userManage/userList.do in the address bar, and confirm whether all users can be viewed
It can also test the horizontal unauthorized access of users at the same level
3. Risk Rating: High Risk
4. Safety advice
Perform permission verification on user operations to prevent access to unauthorized pages and illegal operations by modifying parameters. It is recommended to perform a verification check on the requested data and the current user identity on the server side.
08 Malicious locking problem
1. Vulnerability description
Any account can be maliciously locked by continuously entering wrong passwords
2. Penetration testing
For test accounts, keep entering wrong passwords until it is locked.
3. Risk rating:
After the account is locked, the authentication function can continue to be used, resulting in batch automated account locking, which is a medium risk.
After the account is locked, the authentication function can continue to be used, but the authentication has an anti-automation function, which is a low risk.
4. Safety advice
After the account is locked, the authentication function should not continue to be used. For example, a restriction is placed on the request IP, and the authentication can only be attempted after a period of time.
The authentication function prevents automatic operations, such as adding graphic verification codes.
09 Negative value recoil / positive and negative value hedging
1. Vulnerability description
The application does not verify the value range of the order data, and the transaction has negative value backlash or positive and negative value hedging
2. Penetration testing
Intercept the request when submitting the order, and modify the order parameters to negative numbers, such as commodity unit price, quantity, total price, etc.
When submitting an order (including multiple commodities), intercept the request, modify the unit price or quantity of some commodities, and ensure that the total amount of the order is a positive number.
3. Risk Rating: High Risk
4. Safety advice
When the server side generates a transaction order, the price of the commodity is taken out from the database, and it is forbidden to use the commodity price sent by the client.
The server verifies the value range of the transaction data submitted by the client (such as commodity ID, commodity quantity, commodity price, etc.), compares the commodity ID and commodity price with the data in the database, and checks that the commodity quantity is greater than zero Integer.
When the server generates a payment order, it signs all factors in the payment order that affect the payment amount (such as product ID, product quantity, product price, order number, etc.), and verifies the payment order submitted by the client.
010 Business process jump
1. Vulnerability description
The business logic process is carried out step by step and can skip the intermediate verification steps and directly perform subsequent operations, resulting in invalidation of intermediate verification steps.
2. Penetration testing
First complete the normal business logic steps and obtain the request of each step;
Bypass the intermediate steps and directly access the last one or several verification requests to see if they can be bypassed.
3. Risk Rating: High Risk
4. Safety advice
It is recommended to add a verification flag for each step of the process page in the Session without affecting the business. Before browsing the page of a new step, the session flag of each previous step should be checked, and it should be strongly bound to the user identity.
Special scenario: Password modification/reset process jumps
Vulnerability description
The password modification function is often implemented in a step-by-step manner, and the attacker bypasses some verification steps to modify the user password without knowing the original password.
penetration testing
Complete the normal process of modifying/resetting the password, and judge whether the identification of the successful verification of the original password step can be forged
Bypass steps such as checking the original password, directly access the interface for entering a new password, enter a new password, and modify/reset the password.
Risk Rating: High Risk
safety advice
Fill in the verification information (original password, new password, etc.) at one time and then submit the request to modify/reset the password
Finally: In order to give back to the die-hard fans, I have compiled a complete software testing video learning tutorial for you. If you need it, you can get it for free【保证100%免费】
Software Testing Interview Documentation
We must study to find a high-paying job. The following interview questions are the latest interview materials from first-tier Internet companies such as Ali, Tencent, and Byte, and some Byte bosses have given authoritative answers. Finish this set The interview materials believe that everyone can find a satisfactory job.
