Detailed explanation of web security (basic of penetration testing)

1. Basic knowledge of the Web

1. http protocol

Hypertext Transfer Protocol is the most widely used network protocol on the Internet. A standard that all www files must abide by is an application layer specification based on the TCP/IP protocol, which is transmitted in ASCII code. Simply put, it is a fixed communication rule.

2. Three network architectures and their characteristics

Network application architecture includes three types:
client/server structure (C/S)
browser/server structure (B/S)
P2P structure

C/S architecture

1. Requires a specific client program to be installed
2. Develop different versions for different platforms
3. Upgrading the app requires reinstallation
4. Ability to directly use client hardware resources

B/S structure

1. The client does not need to be installed, only a web browser is required
2. cross-platform capability
3. Seamless upgrade, client maintenance-free

P2P architecture
Point-to-point system, no need for server transfer, client and client communicate directly with each other

3. Features of Web applications

1. The application is graphical and easy to navigate, displaying colorful graphics and text on the page.
2. The application has nothing to do with the platform and can be accessed through the internet using any platform.
3. Web applications are distributed, and different information can be placed on different sites.
4. The web application is dynamic, the information of the web site includes the information of the site itself, and the information provider can also update the information of the website.

4. URL Composition

Protocol: Specifies the transport protocol used
hostname: hostname
port: port number
path: path
parameters: parameters

query: optional, used to pass parameters to dynamic web pages, there can be multiple parameters, separated by "&" symbols, and the name and value of each parameter are separated by "=" symbols.

fragment: information fragment, string, used to specify the fragment in the network resource.

6. The nature of the Http protocol

1. HTTP is simple
2. HTTP is scalable
3. HTTP is stateless and has sessions
4. HTTP is reliable

7. Format of request response message

The HTTP request message is divided into three parts

1. Request line request method, URL, protocol version, etc. (message headers)
2. The request header consists of a header domain name, a colon and a value field
3. request body

response

1. Response Line Protocol and Status Code Status Code Classification
2. response header
3. response body

8. Request method

GET POST OPTIONS HEAD PUT DELETE TRACE CONNECT

9. http cache

缓存是一种保存资源副本并在下次请求时直接使用该副本的技术。当 web 缓存发现请求的资源已经被存储，它会拦截请求，返回该资源的拷贝，而不会去源服务器重新下载。这样带来的好处有：缓解服务器端压力，提升性能(获取资源的耗时更短了)。

   
   
    
    

   
   
    
    

     
     
1
    
    

10. How to judge the cache freshness

The web server uses two methods to determine whether the browser cache is up to date
1, Last-Modified and If-Modified-Since
2, ETags and If-None-Match

11. Http redirection principle and status code

在 HTTP 协议中，重定向操作由服务器通过发送特殊的响应（即 redirects）而触发。HTTP 协议的重定向响应的状态码为 3xx 。浏览器在接收到重定向响应的时候，会采用该响应提供的新的 URL ，并立即进行加载；大多数情况下，除了会有一小部分性能损失之外，重定向操作对于用户来说是不可见的。

   
   
    
    

   
   
    
    

     
     
1
    
    

1XX Instructions
2XX Request sent successfully
3XX Redirect
4XX Request sent by client has syntax error
5XX Server error

12. HTTPS protocol digital certificate

	HTTPS协议是以安全为目标的HTTP通道，其实就是HTTP的升级版本
数字证书：是由权威的CA（Certificate Authority）机构给服务端进行颁发，CA机构通过服务端提供的相关信息生成证书，证书内容包含了持有人的相关信息，服务器的公钥，签署者签名信息（数字签名）等，最重要的是公钥在数字证书中。

• 1
• 2
• 3

​

13. What is the difference between the HTTPS protocol and the HTTP protocol?

1. HTTP is a hypertext transfer protocol, and information is transmitted in plain text, while HTTPS is a secure SSL encrypted transfer protocol.
2. HTTP uses port 80 to connect, while HTTPS uses port 443.
3. The HTTPS protocol needs to go to CA to apply for a certificate. Generally, there are few free certificates and you need to pay a fee. Some web containers also provide them, such as TOMCAT. The HTTP protocol is not required.

14. The role of the web client

1. Used to send HTTP requests
2. Receive server response
3. Render the HTML code returned by the server into an interface Web client, mainly a browser.

15. Function of Web server

1. Listen to customer requests
2. Handle simple requests from clients (generally static pages)
3. Barrier between client and database
4. Handle business and database access of complex systems

16. The role of the cluster environment

	集群环境：服务器集群是指将很多服务器集中起来去进行同一种服务。集群可以利用多个计算机并行计算从而获得很高的计算速度（负载均衡），也可以用多个计算机做备份，从而使得实现故障转移。

 
 
  
  

 
 
  
  

   
   
1
  
  

17. What is a cookie and what does a cookie do.

Cookie: Cookie实际上是一小段的文本信息（key-value格式）。

The client initiates a request to the server, and if the server needs to record the user status, it uses response to issue a cookie to the client browser. The client browser will save the cookie. When the browser requests the website again, the browser submits the requested URL together with the cookie to the server. The server checks the cookie to identify the user status.

• 1
• 2
• 3

18. Types of cookies

1. Session Cookie: Stored in memory, maintained by the browser, and disappears after the browser is closed.
2. Persistent Cookie: Stored in the hard disk, with an expiration time, the user manually clears it or when the expiration time is reached, the persistent cookie will be deleted.

Expires attribute: maxAge in Cookie is used to represent this attribute, and the unit is second.

19. The role and principle of session

在计算机中，尤其是在网络应用中，称为“会话控制”。Session对象存储特定用户会话所需的属性及配置信息。这样，当用户在应用程序的Web页之间跳转时，存储在Session对象中的变量将不会丢失，而是在整个用户会话中一直存在下去。

 
 
  
  

 
 
  
  

   
   
1
  
  

The principle of session

1. When the user requests the server for the first time, the server will generate a sessionId
2. The server returns the generated sessionId to the client through set-cookie
3. The client receives the sessionId and saves it in the cookie, and when the client visits the server again, it will bring the sessionId
4. When the server receives the request from the client again, it will first check whether the sessionId exists. If it does not exist, create a new sessionId and repeat the process of 1 and 2. If it exists, it will traverse the session file of the server and find the sessionId corresponding to it. file, the key value in the file is sessionId, and the value is some information of the current user
5. Subsequent requests will exchange this sessionId for a stateful session

Two implementations of Session (that is, delivery methods)

1. Achieved through cookies
2. Implemented through URL rewriting

The difference between Session and Cookie

1. Cookie data is saved in the client browser, and Session is saved in the server
2. The server-side storage state mechanism needs to be marked on the client side, so the Session may use the Cookie mechanism
3. Cookies are usually used by the client to save the user's login status
4. Session can access any type of data, but Cookie can only store strings
5. Cookie storage data size is limited, Session is not limited

20. The principle of Token

1. A user sends a request with a username and password.
2. Program verification.
3. The program returns a signed token to the client.
4. The client stores the token and uses it every time it sends a request.
5. The server verifies the token and returns the data.

21. Data encoding method

URL encoding is a format used by browsers to package form input.

Base64 is a way to represent arbitrary binary data with 64 ASCII characters.

MD5 is a hash function widely used in the field of computer security to provide message integrity protection. Currently irreversible.

22. Types of Web Testing

1. Interface test: navigation test, graphics test, content test, overall interface test, interface control test
2. function test:
3. Performance Testing
4. compatibility test
5. security testing etc.

23. Advantages of H5

1. Cross-platform advantage, H5 pages are applicable to all platforms, and can be debugged and modified directly on the webpage, the cost of development and maintenance is low, and the development cycle is short.
2. Enhanced the performance of Web pages. In addition to drawing two-dimensional graphics, tags for playing video and audio are also prepared.
3. Functions of web applications such as local databases have been added.
4. The data statistics of H5 marketing are convenient

24. The difference between APP testing/Web testing/H5 testing

similarities

针对同一个系统功能的测试，三端所测的业务流程是一样的

Under normal circumstances, both the mobile terminal and the PC terminal correspond to a set of background services, and there are also some functions, such as the display of the PC and the mobile terminal is inconsistent, or there is any special processing. In this case, the background will write two sets of different interfaces to handle the corresponding business needs.

• 1
• 2
• 3

the difference

1. The test platform (container) is different
2. Compatibility testing is different
3. The system architecture is different
4. The release process is different
5. APP also has some special tests

25. Three development modes commonly used in mobile terminals

主要有原生APP（Native App）、混合APP（Hybrid App）、WEB APP三种.

 
 
  
  

 
 
  
  

   
   
1
  
  

2. Exploratory testing

1. Pass-through testing: looking at the data

2. Test one get one free: Perform two same operations at the same time.

3. Traversal test method: test pop-up windows, test all pop-up windows.

4. Destruction testing methods: such as network or memory. (The first four are mostly global)

3. Agile testing method

3.1 Comparison between Waterfall Model and Agile Model

Sequential (Waterfall Model): Simple, staged, causal between stages, does not support user participation, requires pre-determined requirements.
Scope of application: software systems whose requirements are easy to define and difficult to change.

Agile (iterative): It does not require the requirements to be fully defined in advance, supports user participation, supports the gradual improvement and confirmation of requirements, and can adapt to changes in user needs.
Scope of application: software systems with complex requirements, difficult to determine, and dynamic changes

3.2 The Scrum framework includes 3 roles, 3 artifacts, 5 events, and 5 values

3 roles: Product Owner ScrumMaster Development Team

3 Artifacts
Product Backlog
SprintBacklog
Product Increment

5 events
Sprint (Sprint itself is an event, including the following 4 events)
Sprint planning meeting
Daily standing meeting
Sprint review meeting
Sprint review meeting

5 Values
​​Commitment – ​​Willingness to commit to the goal
Focus – Put your mind and ability to the work you committed to
Open – Scrum open everything in the project to everyone
Respect – everyone has his unique background and experience
Courage – having the courage to make commitments, keep them, and receive the respect of others

3.3 A user story consists of three elements

1. role (who): who is going to use this
2. Activity (what): what activity to complete
3. Value (value): why do you want to do this, what value can you bring by doing this

3.4 Characteristics of user stories

1. independent
2. Discussable
3. valuable
4. Estimable
5. small
6. testable

3.5 Prioritization of user stories

1.Must 2.Should 3.Could 4.Would Not

3.6 The role of Kanban

1. Clear stages and entry criteria.
2. The number of tasks in each stage, control WIP<=4.
3. Various lengths of time in the lead time.
4. Value to be delivered Value delivered.
5. Information visualization and change notification.

3.7 what is devops

:Culture Change + Automation Tools = Changing Marketplace. Also a development model: agile + automation tools

3.8 Test left shift and test right shift

test shift left

1. review
2. technology alignment
3. self-test empowerment
4. multi-role collaboration

test shift right

1. grayscale
2. monitor
3. problem attribution

4. Web Security

4.1 What is the main purpose of penetration testing?

通过实际的攻击进行安全测试与评估的方法就是渗透测试

 
 
  
  

 
 
  
  

   
   
1
  
  

4.2 The process of penetration testing

1. clear goal
2. collect message
3. Vulnerability detection
4. Vulnerability verification
5. write report
6. Information Collation and Analysis

4.3 Contents of information collection

1. domain information
2. sensitive directory
3. port scan
4. Side Station Section C
5. Whole site analysis

4.4 The concept and significance of the same-origin policy

Concept: The protocol , domain name (or IP) , subdomain name , and port number in the two page addresses are consistent, indicating the same origin

Meaning: Restricts "document" or scripts from different sources to read or set certain properties on the current "document"

4.5 Browser Sandbox

Sandbox: a synonym for "resource isolation modules"

The purpose of the design sandbox:

1. Let untrusted code run in a certain environment, and restrict untrusted code from accessing resources outside the isolated area

2. If it is necessary to generate data exchange across sandbox boundaries, it can only be done through specified data channels, such as encapsulated APIs, in which the legality of requests will be strictly checked

4.6 Malicious website blocking mechanism

The browser periodically obtains a blacklist of the latest malicious URLs from the server. If the URLs that the user visits on the Internet exist in this blacklist, the browser will pop up a warning page

4.7 The principle of XSS attack

Attackers can enter JavaScript codes between them to achieve some "special effects".
In real attacks, attackers not only pop up a box, but usually use

way to load external scripts,

The attacker's malicious JavaScript code is stored in x.txt. This code may be
used to steal users' cookies, or to monitor malicious behaviors such as keylogging.

4.8 Three types of xss

Reflective type: attach malicious code to the parameter instance,

Storage type: After the user submits a piece of XSS code, it is received and stored by the server. When the attacker visits a page again, the XSS code is read out by the program and responded to the browser.

DOM: XSS formed by modifying the DOM node of the page through JavaScript

4.9 XSS Vulnerability Prevention

1. filter html
2. If PHP outputs to JS code, or develops Json API, the front end needs to filter in JS
3. When setting the cookie, add the HttpOnly parameter

4.10 What is sql injection?

SQL injection is to modify and splice the original URL, form field or data packet input parameters of the web page into SQL statements, pass them to the web server, and then pass them to the database server to execute database commands

4.11 Types of sql injection?

1. character injection
2. digital injection
3. blind note
4. joint injection

4.12 Types of blinds?

1. Boolean Blind
2. time blind

4.13 What is a file inclusion vulnerability?

In order to increase the flexibility of the code, developers usually set the included file as a variable for dynamic calling, but it is precisely because of this flexibility that the client can call a malicious file, resulting in a file inclusion vulnerability. There may be file inclusion vulnerabilities in PHP, JSP, ASP and other languages, but most of them are in PHP.

4.14 Exploiting file inclusion vulnerabilities to meet the following two conditions?

1. Include() and other functions introduce the files that need to be included through dynamic variables;
2. The user can control this dynamic variable

4.15 File contains vulnerability prevention

1. Strictly judge whether the parameters in the inclusion are externally controllable, because the key point for the success of file inclusion vulnerability exploitation is whether the included file can be externally controlled;
2. Path restriction: restrict the included files to only be in a certain folder, and must prohibit directory jump characters, such as ".../";
3. Include file verification: verify whether the included file is a member of the white list;
4. Try not to use dynamic inclusion, you can fix it on the page that needs to be included, such as: include("head.php");.

4.16 What is the content of file upload detection?

1. Client detection: The client uses JS detection to verify the file when the file is not uploaded
2. Server-side detection: detect whether the file extension is legal, detect whether malicious code is embedded in the file

4.17 Common methods to prevent file upload vulnerabilities?

1. The directory where the file is uploaded is set to non-executable
2. Determine file type
3. Overwrite filenames and filepaths with random numbers
4. Separately set the domain name of the file server

4.18 What is clickjacking?

攻击者使用一个透明的、不可见的iframe,覆盖在一个网页上,然后诱使用户在该网页上进行操作，此时用户将在不知情的情况下点击透明的iframe页面。通过调整iframe的位置，可以诱使用户恰好点击在iframe页面的一些功能性按钮上。

 
 
  
  

 
 
  
  

   
   
1
  
  

​

4.19 CSRF principle?

It is the attacker who uses some technical means to deceive the user's browser to visit a website that he has authenticated and perform some operations (such as sending emails, sending messages, and even property operations such as transferring money and purchasing goods). Since the browser has been authenticated, the visited website will be considered to be a real user operation and run. This takes advantage of a loophole in user authentication on the web: simple authentication can only guarantee that the request is sent from a user's browser, but cannot guarantee that the request itself is voluntarily sent by the user.

4.20 CSRF defense?

1. Validate the HTTP Referer field
2. Enter the verification code for the second confirmation
3. Token authentication, using Token to defend against CSRF
4. Cookie Hashing

4.21 HTML5 security issues?

1. CORS attack
2. Web Storage attack
3. Web Worker Attack
4. new tab attack

4.22 Session attack method?

1. session fixation attack

Use the session ID immobilization mechanism of the application system on the server to obtain authentication and authorization with the same session ID from others, and then use the session ID to hijack other people's sessions to successfully impersonate others, resulting in session fixation attacks.

2. Session keeps attacking

Session has a life cycle. The attacker holds a valid session. If the session has not expired, the attack will always use the user's account through this valid session, becoming a permanent "backdoor".

4.23 Single sign-on

Abbreviated as SSO. In multiple application systems, you only need to log in once to access all other application systems.

4.24 Role-Based Access Control and Data-Based Access Control

Role-based access control: Access control actually establishes the correspondence between users and permissions.
Because horizontal permission management is caused by the lack of a data-level access control in the system

4.25 Principles of OAuth 2.0

OAuth introduces an authorization link to solve the above problems. When a third-party application requests to access a protected resource, the resource server will issue an access token (AccessToken) to the third-party application after being authorized by the resource user. The access token contains key attributes such as the resource user's authorized access scope and authorization validity period. The third-party application needs to hold the token in the subsequent resource access process until the user actively terminates the authorization or the token expires automatically.

4.26 Four Authorization Methods

1. Authorization code
2. hidden
3. Cipher
4. If the client credential
   n has not been invalidated, the attack will always use the user's account through this valid Session, becoming a permanent "backdoor".

4.23 Single sign-on

Abbreviated as SSO. In multiple application systems, you only need to log in once to access all other application systems.

4.24 Role-Based Access Control and Data-Based Access Control

Role-based access control: Access control actually establishes the correspondence between users and permissions.
Because horizontal permission management is caused by the lack of a data-level access control in the system

4.25 Principles of OAuth 2.0

OAuth introduces an authorization link to solve the above problems. When a third-party application requests to access a protected resource, the resource server will issue an access token (AccessToken) to the third-party application after being authorized by the resource user. The access token contains key attributes such as the resource user's authorized access scope and authorization validity period. The third-party application needs to hold the token in the subsequent resource access process until the user actively terminates the authorization or the token expires automatically.

4.26 Four Authorization Methods

1. Authorization code
2. hidden
3. Cipher
4. client credentials

1. Basic knowledge of the Web

1. http protocol

Hypertext Transfer Protocol is the most widely used network protocol on the Internet. A standard that all www files must abide by is an application layer specification based on the TCP/IP protocol, which is transmitted in ASCII code. Simply put, it is a fixed communication rule.

2. Three network architectures and their characteristics

Network application architecture includes three types:
client/server structure (C/S)
browser/server structure (B/S)
P2P structure

C/S architecture

1. Requires a specific client program to be installed
2. Develop different versions for different platforms
3. Upgrading the app requires reinstallation
4. Ability to directly use client hardware resources

B/S structure

1. The client does not need to be installed, only a web browser is required
2. cross-platform capability
3. Seamless upgrade, client maintenance-free

P2P architecture
Point-to-point system, no need for server transfer, client and client communicate directly with each other

3. Features of Web applications

1. The application is graphical and easy to navigate, displaying colorful graphics and text on the page.
2. The application has nothing to do with the platform and can be accessed through the internet using any platform.
3. Web applications are distributed, and different information can be placed on different sites.
4. The web application is dynamic, the information of the web site includes the information of the site itself, and the information provider can also update the information of the website.

4. URL Composition

Protocol: Specifies the transport protocol used
hostname: hostname
port: port number
path: path
parameters: parameters

query: optional, used to pass parameters to dynamic web pages, there can be multiple parameters, separated by "&" symbols, and the name and value of each parameter are separated by "=" symbols.

fragment: information fragment, string, used to specify the fragment in the network resource.

6. The nature of the Http protocol

1. HTTP is simple
2. HTTP is scalable
3. HTTP is stateless and has sessions
4. HTTP is reliable

7. Format of request response message

The HTTP request message is divided into three parts

1. Request line request method, URL, protocol version, etc. (message headers)
2. The request header consists of a header domain name, a colon and a value field
3. request body

response

1. Response Line Protocol and Status Code Status Code Classification
2. response header
3. response body

8. Request method

GET POST OPTIONS HEAD PUT DELETE TRACE CONNECT

9. http cache

缓存是一种保存资源副本并在下次请求时直接使用该副本的技术。当 web 缓存发现请求的资源已经被存储，它会拦截请求，返回该资源的拷贝，而不会去源服务器重新下载。这样带来的好处有：缓解服务器端压力，提升性能(获取资源的耗时更短了)。

   
   
  
  

   
   
  
  

   
   
1
  
  

10. How to judge the cache freshness

The web server uses two methods to determine whether the browser cache is up to date
1, Last-Modified and If-Modified-Since
2, ETags and If-None-Match

11. Http redirection principle and status code

在 HTTP 协议中，重定向操作由服务器通过发送特殊的响应（即 redirects）而触发。HTTP 协议的重定向响应的状态码为 3xx 。浏览器在接收到重定向响应的时候，会采用该响应提供的新的 URL ，并立即进行加载；大多数情况下，除了会有一小部分性能损失之外，重定向操作对于用户来说是不可见的。

   
   
  
  

   
   
  
  

   
   
1
  
  

1XX Instructions
2XX Request sent successfully
3XX Redirect
4XX Request sent by client has syntax error
5XX Server error

12. HTTPS protocol digital certificate

	HTTPS协议是以安全为目标的HTTP通道，其实就是HTTP的升级版本
数字证书：是由权威的CA（Certificate Authority）机构给服务端进行颁发，CA机构通过服务端提供的相关信息生成证书，证书内容包含了持有人的相关信息，服务器的公钥，签署者签名信息（数字签名）等，最重要的是公钥在数字证书中。