- 以下均从安全攻防角度分析,实际情况可能相对更复杂,具体情况具体分析.
- the following is only analyzed from the perspective of security attack and defense. The actual situation may be more complex, and the specific situation is analyzed on a case-by-case basis.
WEB Security
Knowledge Required
- Database CRUD
- INSERT,DELETE,UPDATE,SELECT
SQL Injectioin
- Union Injection
- union select *(all column name) from admin(table name) where id(field) = 1;
- Error Injection
- error
- Time-Based Blind SQL Injection
- sleep(),benchmark()
- Stacked Injeciton
- ;多语句执行(与union不同是可执行不同类型语句)
Vulnerability Cause
- 攻击发生在不可信的数据作为命令或者查询语句的一部分,发送给解释器.攻击者发送的恶意数据可以欺骗解释器,以执行计划外的命令或者在未被恰当授权时访问数据.
Protective Measures
- 使用安全的API,提供参数化的API.
- escape类过滤避免特殊字符.
- 黑/白名单机制.
XSS
- 反射型
- 前端javasecript执行,不需要后端交互
- 存储型
- 存储到数据库
- DOM型
- 涉及浏览器端的JavaScript和HTML,客户端脚本,未经过服务器处理.
SOP(Same Origin Policy)
- 同源策略目的是为了保证用户信息的安全,防止恶意的网站窃取数据.
- 跨域资源共享(CORS)是一种机制,允许从该资源起源域之外的另一个领域要求的许多资源(例如字体,JavaScript等)在网页上。
- 同源政策规定,AJAX请求只能发给同源的网址,否则就报错.通过JSONP,WebSocket,CORS可以规避这个限制.
CSP(Content Security Policy)
- CSP is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks.
OAuth
- OAuth 2.0 is the industry-standard protocol for authorization. OAuth 2.0 supersedes the work done on the original OAuth protocol created in 2006. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices.
CSRF
- referer
- token
- verification
SSRF
- SSRF (Server-side Request Forge) 服务端请求伪造,是一种由攻击者构造形成由服务器端发起请求的一个漏洞。一般情况下,SSRF 攻击的目标是从外网无法访问的内部系统。
- file/gopher/dict/ftp/tftp
Command Execution
- Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application.
Deserialization
- The process of converting application data to another format (usually binary) suitable for transportation is called serialization.The process of reading data back in after it has been serialized is called unserialization.
- Vulnerabilities arise when developers write code that accepts serialized data from users and attempt to unserialize it for use in the program.
File Upload
- 文件上传漏洞
Logical Vulnerability
Pay vulnerability
- Order
- Choose Products Price/products Amount /商品为1或0,竞争购买或能否成功/订单金额
- Balance
- 优惠打折/订单金额/支付方式/虚假订单
- pay
- 伪造第三方确认/付款信息窃取
- Refund
- 绕过客户确认
- race conditions
reset the password
- 重置方式
- 手机验证码
- 邮箱
- 密保
- 自动生成
- 找回链接
- 可能产生非预期逻辑
- 认证凭证暴力破解
- 认证凭证回显
- 认证凭证重复使用
- 重新绑定
- 用户身份特性认证
- 服务器认证
- 密码找回流程
Arbitrary login vulnerability
- null cipher
- 身份替换
- 认证凭证篡改
authentication defects(弱认证、认证凭据获取)
- 弱验证
- 空验证
- 认证凭证有效性&唯一性
Interface enumeration
- 业务接口没有做验证或机制缺陷,枚举
- 撞库
- 订单、优惠券等遍历
Unauthorized leaks(有条件越权:空值)
- 普通越权
- 未授权访问(登陆凭证验证)
- 绕过授权模式(参数构造)
information gathering
- target scope
- ip
- port
- services
- web application
- personnel
WEB Application Type
- PHP
- Thinkphp
- Yii
- Laravel
- CI
- JAVA
- Struts2
- Spring
- PYTHON
- Django
- Flask
- Tornado
- GO
- beego
- Martini
- gin
- revel
- web middleware
- Tomcat
- Nginx
- Apache
Penetration Testing
Intranet Pentest
管理组
域环境
Post penetration test
backdoor
- socks proxy
- frp
- ssh tunnel
- dns tunnel
- certification
- password
Rootkit
Bootkit
Android/IOS mobile security
knowledge required
- java
- smali
- ARM
- C/C++
- katlin
- python
Android
Kernel Security
Framework Security
Application Security
AOSP
android System Security
IOS
Penetrarion Pentesting Tool
- Vulnerability Scan
- Nusses
- Acunetix Web Vulnerability Scanner(简称AWVS)
- APPScan
- Capture
- Burpsuite
- Fildder
- Wireshark
- Charles
- Brower plug-in
- no-scriptge
- Proxy
- User-Agent
- Code review
- Fortity
- layer
- RIPS
Code Review
PHP
Tools AND Method
- RIPS
关键点
- echo\print\printf\vprrint<%=test%>
- $_SERVER$GET$POST$_COOKIE$REQUEST$_FILE$ENV$HTTP*
- system\exec\passthru\shell_exec\ppen\proc_open\pcentl_exec
- include\include_once\require\require_onec\show_source\highlight_file\readfile\file_get_contents\fopen\file_get_contents\fopen\file\
- eval\preg_replace+/e\assert\call_user_func\call_user_func_array\create_function
- insert\delete\update\select
- copy\rmdir\unlink\delete\fwrite\chmod\fgetc\fgetcsv\fgets\getss\file\file_get_contens\fread\readfile\ftruncate\function_put_contents\fputcsv\fputs\move_upload_file
- parse_str\mb_parse_str\import_request_variables
- cookie\session\Dynamic Function\encode\encryption and decryption\ random function\confirm_phpdoc_compiled\mssql_pconnect/mssql_connect
JAVA
Tools AND Method
Security Construction
classified protection
-
Network Security Risk Assessment
-
Enterprise Network Security Construction
-
Binary Security
Knowledge Required
- Operating system/计算机网络/Computer Composition/Data structures and Algorithms
/ - CPU/Compiler/Memory
- Stack overflow
- Heap overflow
- Uninitialized
- UAF
- Race Condition
exploit
- ROP
- heap spray
- Heap fengshui
- Exploit mmap chunk
- RET2
shellcode
Mitigation Measures
- Windows
- CFG/DEP/Mandatory ASLR/Bottom-Up ASLR/SEHOP/Validate heap integrity/ACG
- Control flow guard (CFG)
- Data Execution Prevention (DEP)
- Force randomization for images (Mandatory ASLR)
- Randomize memory allocations (Bottom-Up ASLR)
- Validate heap integrity
- Arbitrary code guard (ACG)
- CFG/DEP/Mandatory ASLR/Bottom-Up ASLR/SEHOP/Validate heap integrity/ACG
- Linux
- NX/PIE/Fortify
- OSX
- SIP
- Android
- SELinux
- IOS
Reverce Engineering
- X86
- X64
- LOT
Knowledge Required
- CPU\Compiler\Memory\Algorithms\Data Structures
Debug AND AntiDebug
Compile Decompilation
各大编译器
Crawler AND AntiCrawler
Game security
- Script
- Quick Macro
- Memory
- DLL Injection
- Packet
- Protocol Analysis
黑灰色产业
DOOS
Social Engineering
While wool
Card
Personal Information
Traffic Cheat
- Tools
- 流量精灵/流量宝
SEO/SEM
Black
- Black Link
- Snapshoot Hijack
- Station Group
- SpiderWhite
- optimum
- biddingGrey
- Shell
- site group
