Web penetration Overview
Article Directory
2. Web penetration Overview
The Web has been widely used in corporate information technology, e-commerce, e-government moderate, the rapid development of the Web, but also brought a large number of security threats.
Cyber attacks has shifted the focus of the application layer, Web has become the target of choice for hackers against Web-based attacks and destruction continues to grow, according to Goldman Sachs statistics show that 75% of attacks against Web applications.
However, for Web application security field, many companies have not yet fully understand, not ready; many developers have no corresponding experience, which gives hackers an opportunity.
2.1 Web security risks and trends
- The latest release of White Hat Web security statistics report shows that accepts a sample survey of 30,000 a website, lead researcher Gabriel Gumbs is responsible for writing the report pointed out: no single development language or platform has obvious security benefits, from the number of vulnerabilities look, is not much difference between a large number of different development languages site usage, the number of vulnerabilities of several major development platform basically in the same order of magnitude.
- 2018 Summer State of the Internet Security Report Report on Web attacks pointed out, Web attacks average daily occurrence frequency of about 10 trillion times the maximum can reach more than 16 million times; at the same time the most widely used attack is still concentrated in SQL injection, XSS, files contain; within the time frame covered by the report, Russia, China and Indonesia are the main source countries for tourism industry were hit library attacks, half of the hit library activities point to hotels, cruise lines, airlines and travel sites. China and Russia for the hotel industry and tourism industry is three times the combined flow of attack from the United States attack traffic.
- Information breaches by hacking Web sites generated more and more. In large interconnected network of today, all people have all kinds of sensitive personal information remains in the network, the largest of which is user self-register on the site and records, which also gives hackers a very large driving force, steal user data of trafficking to black production, the flow of information to the user telemarketing, telecommunications fraud and other channels
Common purpose 2.3 Web attacks
- mischief;
- Close the Web site, refused to normal service;
- Web page tampering, damage to corporate reputation;
- Free access to premium content;
- 盗窃用户隐私信息,例如 Email;
- 以用户身份登录执行非法操作,从而获取暴利;
- 以此为跳板攻击企业内网其他系统;
- 网页挂木马,攻击访问网页的特定用户群;
- 仿冒系统发布方,诱骗用户执行危险操作,例如用木马替换正常下载文件,要求用户汇款等;
2.4 Web 安全术语
-
后门
绕过安全控制而获取对程序或系统访问权的方法。后门的最主要目的就是方便以后再次秘密进入或者控制系统。 -
Webshell
Webshell 就是以 asp、php、jsp 或者 cgi 等网页文件形式存在的一种命令执行环境,也可以将其称作为一种网页后门。 -
0day漏洞
通常是指还没有补丁的漏洞。也就是说官方还没有发现或者是发现了还没有开发出安全补丁的漏洞 -
Exploit
简称 exp,漏洞利用 -
提权
提高自己在服务器中的权限,主要针对网站入侵过程中,当入侵某一网站时,通过各种漏洞提升 Webshell 权限以夺得该服务器权限。 -
跳板
跳板,简单来说,就是在进行攻击或渗透时,不直接发起,而是控制一台中间主机来进行。这台中间主机就成为跳板。 -
拖库
网站遭到入侵后,黑客窃取其数据库。 -
社会工程学
一种通过对受害者心理弱点、本能反应、好奇心、信任、贪婪等心理陷阱进行诸如欺骗、伤害等危害手段取得自身利益的手法,已成迅速上升甚至滥用的趋势。 -
Apt 攻击
高级持续性威胁。 利用先进的攻击手段对特定目标进行长期持续性网络攻击的攻击形式
2.5 Web 常见攻击手段(OWASP TOP 10)
针对 Web 服务的攻击手段五花八门,形形色色。为了帮助IT公司和开发团队规范应用程序开发流程和测试流程,提高Web产品的安全性,OWASP 组织每年都会发布 OWASP TOP 10 年度报告,该报告总结了 Web 应用程序最可能、最常见、最危险的十大漏洞
OWASP:开放式 Web 应用程序安全项目,是一个非营利组织,不附属于任何企业或财团。因此,由 OWASP 提供和开发的所有设施和文件都不受商业因素的影响。OWASP 支持商业安全技术的合理使用,它有一个论坛,在论坛里信息技术专业人员可以发表和传授专业知识和技能。
2.6 OWASP TOP 10 2017
-
A1 - Injection(注入漏洞)
当不可信的数据作为命令或查询语句的一部分被发送给解释器的时候,会发生注入漏洞,包括 SQL、NoSQL、OS 以及 LDAP 注入等。
攻击者发送的恶意数据可能会诱使解释器执行计划外的命令,或在没有适当授权的情况下访问数据。 -
A2 - BrokenAuthentication(中断身份认证)
与认证和会话管理相关的应用函数经常被错误地实现,从而允许攻击者破坏密码、密钥或是会话令牌
或者利用其他的应用漏洞来暂时或永久地获取用户身份信息。 -
A3 - Sensitive DataExposure(敏感数据泄露)
许多 Web 应用程序和 API 不能正确的保护敏感数据,如金融、医疗保健和 PII(个人身份信息)等。攻击者可能会窃取或篡改这些弱保护的数据,从而进行信用卡欺诈、身份盗窃或其他犯罪行为。
在缺少额外保护(例如,在存放和传输过程中加密,且在与浏览器进行交换时需要特别谨慎)的情况下,敏感数据可能会受到损害。 -
A4 - XML ExternalEntities(XXE)XML 外部处理器漏洞
许多过时的或配置不当的XML处理器在XML文档内进行外部实体引用。
外部实体可用于泄露内部文件,通过使用文件URI处理器、内部文件共享、内部端口扫描、远程代码执行以及拒绝服务攻击等手段。 -
A5 - Broken AccessControl(中断访问控制)
限制“认证的用户可以实现哪些操作”的命令没有得到正确的执行。
攻击者可以利用这些漏洞访问未经授权的功能和数据,例如访问其他用户的账户,查看敏感文件,篡改其他用户的数据,更改访问权限等。 -
A6 - SecurityMisconfiguration(安全配置错误)
安全配置错误是最常见的问题。
这通常是由不安全的默认配置,不完整或 ad hoc 配置,开放云存储,错误配置的 HTTP 标头,以及包含敏感信息的详细错误信息造成的。
所有的操作系统、框架、库、应用程序都需要进行安全配置外,还必须要及时进行系统更新和升级。 -
A7 - Cross-SiteScripting(XSS)跨站脚本攻击
如果应用程序在未经适当验证或转义的情况下,能够在新网页中包含不受信任的数据,或是使用可以创建 HTML 或者 JavaScript 的浏览器 API 更新包含用户提供的数据的现有网页,就会出现 XSS 漏洞。
XSS 允许攻击者在受害者的浏览器中执行脚本,这些脚本可以劫持用户会话、破坏网站或将用户重定向到恶意网站中。 -
A8 - InsecureDeserialization (unsafe deserialization)
unsafe deserialization vulnerabilities often lead to remote code execution problem.
Even deserialization errors do not lead to remote code execution, it can also be used to execute attacks, including replay attacks, injection attacks and privilege escalation attacks. -
A9 - UsingComponents with Known Vulnerabilities (containing known vulnerabilities assembly)
components (such as libraries, frameworks and other software modules) and the application is the same privileges to run. If there are loopholes components are utilized, such an attack could cause serious loss of data or server to take over the crisis.
Use known vulnerabilities in applications and components might break the application API defense system to initiate various forms of attack, causing more serious impact. -
A10 - InsufficientLogging & Monitoring (lack of recording and monitoring vulnerabilities)
insufficient recording and monitoring of vulnerabilities, coupled with incident response, lack of capacity and lack of effective integration, so that the attacker can attack the system further, maintaining its persistence in favor of more attacks multi-system, and tampering, extraction or destruction of data.
Most of the data leakage studies have shown time detect the occurrence of data leak usually requires more than 200 days, and are usually the first to discover the fact that external agency data leakage, rather than through internal discovery.
