Sm0nk 2015/07/03 10:31
0x00 Indicates the index
6.30 Share in OWASP, vulnerability detection model of business security. Further extension of popular science.
0x01 Identity Authentication Is Secure
1 Brute Force Cracking
Where there is no restriction on the verification code or the verification code can be used more than once, brute force cracking of the password with a known user or brute force cracking of the user with a common password is performed. Simple captcha blast. URL: http://zone.wooyun.org/content/20839
Some tools and scripts
Burpsuite
HtpwdScan hit library for blasting URL: https://github.com/lijiejie/htpwdScan
Install Xhydra to support more protocols to blow up (can break the WEB, other protocols are not business security category)
2 Session and cookie classes
Session fixed attack: Using the session invariable mechanism of the server to obtain authentication and authorization and impersonate others. Case: WooYun: Sina Guangdong food background verification logic vulnerability, direct login background, 566764 user data exposure!
Cookie spoofing: You can log in to other users by modifying a parameter in the Cookie. Case: Log in to Any account of Yiyun Advertising platform WooYun: Log in to any account of Yiyun advertising platform
3 weak encryption
HTTPS is not used, is a functional test point, not easy to use.
Front-end encryption, ciphertext to background verification, and smart decode can be solved
0x02 Security of Service Consistency
1 Mobile phone number tampering
A) Packet capture Attempt to change mobile phone number parameters to other numbers. For example, on the query page, enter your own number and capture packets, change mobile phone number parameters to other numbers, and check whether you can query other people’s services.
2 Email address or user tamper
A) Packet capture Modify user or mailbox parameters to other users or mailboxes
B) Case: WooYun: Green RSAS security system full version kill permission administrator bypass vulnerability, including the latest RSAS V5.0.13.2
3 Order ID is tampered with
A) Check your own order ID, and then modify the ID (plus or minus one) to check whether you can check other order information.
B) Case: WooYun: Guangzhilits can access any user order
4 Tampered with the product id
A) For example, at the point exchange office,100 points can only be exchanged for the product number 001 and 1000 points can only be exchanged for the product number 005. When 100 points are exchanged for the product, the number of the product can be changed to 005, and the product with high points can be exchanged with low points.
B) Case: Payment loophole of a Lenovo points mall was bypassed again
5 User ID tampering
A) Capture packets and view the user ID. Then change the ID (plus or minus 1) to check whether other user ids can be viewed.
B) Case: WooYun: The leakage risk of millions of resumes (including mobile phone, email, job application and other information, screening resumes and sending interview notices by pretending to be corporate identities, etc.)
0x03 Service Data Tamper
1 Amount data tampering
A) Capture fields such as the amount of the modified packet, for example, the amount field of the commodity in the payment page capture request, and modify it to any amount and submit it to check whether the business process can be completed with the modified amount data. B) Case: WooYun: Unverified vulnerability of total price in payment of 12308 order (payment logic vulnerability)
2. Tampering with the quantity of goods
A) To capture packets, modify the quantity of goods and other fields, change the quantity of goods in the request to any amount, such as a negative number, and submit it to check whether the business process can be completed with the modified quantity. B) Case: WooYun: Azure Payment logic vulnerability (negative payment allowed)
3 Maximum number limit breakthrough
A) When the purchase quantity of many commodities is limited by users, the server only limits the quantity submitted by users through JS script on the page, and does not verify the quantity on the server side. The maximum number limit of commodities is modified by capturing packets, and the quantity of commodities in the request is changed to a value greater than the maximum number limit to check whether the business process can be completed with the modified quantity.
4 Modify local JS parameters
A) Part of the application processes requests submitted by users through Javascript, and tests whether the modified data affects users by modifying Javascript scripts.
0x04 User Input Compliance
1 injection test Please refer to http://wiki.wooyun.org/web:sql
2 XSS test please refer to http://wiki.wooyun.org/web:xss
3 Fuzz
A) Use more function tests, it is possible that an excessively long special string will lead to system denial of service or function loss. (Of course, fuzz isn’t just for that.)
B) not quite consistent with the case, but the idea can be used for reference: WooYun: the star of the site of fuzzy test actual combat arbitrary file upload vulnerability
C) Possible tool — Spike
4 Other application vulnerabilities that interact with user input
0x05 Password retrieval Vulnerability
1. Strongly recommend BMa’s “Summary of Password Retrieval Logic Vulnerabilities”
http://drops.wooyun.org/web/5048
A) General process of password retrieval logic test
I. First try the normal password retrieval process, select different retrieval methods, and record all data packets
Ii. Analyze the packet to find the sensitive part
Iii. Analyze the verification means adopted by the background retrieval mechanism
Iv. Modify packet validation speculations
B) Brain map (please refer to BMa’s summary of Password Retrieval Logic Vulnerabilities for details)
0x06 The Verification Code Is Exceeded
Verification codes are not only used for login and password searching, but also for submitting sensitive data, so they are classified separately and further explained in detail.
1 Verification code brute force cracking test
A) Brute force cracking of a specific captcha using BURP
B) Case: WooYun: package any user registration and password reset vulnerability of any user on the 88ally e-commerce platform
2 Verification code time and times tests
A) Capture the data packets carrying verification codes and submit them repeatedly. For example, enter the content information to be complained and verification code parameters in the complaint suggestion area. At this time, capture and submit data packets repeatedly to check whether there is repeated submission parameter information in the history of complaints.
B) the case:
3 Verification code client command output test
A When the client needs to interact with the server and sends the verification code, you can use Firefox to press F12 to bring up Firebug. Then you can see the detailed information about the interaction between the client and the server
4 Verification code bypass test
A) When the first step jumps to the second step, the packet is captured and the verification code is tampered and cleared to verify whether the verification code of this step can be bypassed.
B) Case: WooYun: Design defects of information security management system in an IDC room of China Telecom led to the collapse of the system
5 Verification code JS is bypassed
A) The logic of SMS verification code verification program is defective. The first step, the second step and the third step of the business process are all placed on the same page. The verification code of the first step is judged by JS.
0x07 Service Authorization Security
1 Unauthorized access
A) Unauthorized access means that users can directly access pages or text information that requires authentication without authentication and authorization. You can try to log in to the foreground or background of a website, copy the relevant page links to other browsers or other computers for access to see whether the access is successful.
2 Unauthorized access
The cause of ultra vires vulnerability is that the developer overtrusts the data requested by the client while adding, deleting, modifying and querying the data and omits the judgment of authority
A) Vertical overreach (vertical overreach means that users with lower access rights can access users with higher access rights)
B) Horizontal overreach (horizontal overreach means that different users with the same permission can access each other)
C) my way of unauthorized URL:http://drops.wooyun.org/tips/727
0x08 Service Processes are Out of order
1 Sequential execution defects
A) Part of the website logic may start with process A, then process B, then process C and finally process D
B) Users control every request they send to the application and are therefore able to access it in any order. The user then goes directly from B into D, bypassing C. If C is the payment process, then the user has bypassed the payment process and bought an item. If C were the validation process, it would bypass validation and go directly to the website application.
C) case:
WooYun: A logic error in a wanda branch station can bypass payment and get the ticket collection password directly
http://wooyun.org/bugs/wooyun-2010-0108184
0x09 Service Interface Invocation Security
1 Replay attack
Call (replay) test is performed on the business links of SMS, email invocation or generating business data (classes: SMS verification code, email verification code, order generation, comment submission, etc.). If a valid business or data result is generated multiple times after the call (replay)
A) Malicious registration
B) Text bomb
In the process of testing, we found that many financial trading platforms only controlled the SMS sending button through JS verification time in the front end, but the background did not make any restrictions on sending, resulting in a large number of malicious SMS by replaying packets
Case study: WooYun: One Acre trading network logic vulnerability (Barrel principle)
2 Content Editing
Similar cases are as follows:
Click “Get SMS verification code” and capture the packet content, as shown in the figure below. By analyzing data packets, it can be found that the content of sendData/insrotxt is controlled by the client and can be modified to the content that the attacker wants to send
Modify the content “Congratulations you have got an iphone6 provided by XX Bank, please log in http://www.xxx.com to get it, verification code is 236694” and send the packet, the mobile phone can receive the modified text message content, as shown below:
0x10 Time-lapse bypass test
Most of the cases occurred in the validity range of verification codes and business data. In the previous summary, 12306 was also regarded as a typical case, so it was classified separately.
1 Time to refresh defects
The 12306.cn ticket service refreshes the ticket every 5s. But this time is indeed the interval set locally. The associated variable for this time can then be reset to 1s or less at the console, which dramatically reduces the refresh time (mainly by changing the autoSearchTime local parameter). Case study:
WooYun: 12306 automatic brushing time can be changed vulnerability
2 time range test
For certain services with time limits, modify the time limits. For example, if a service is queried within a time limit, modify the request containing the plaintext field and submit it to check whether the service process can bypass the time limits. For example, you can change the month range for the records received by the mobile phone network service to exceed the default limit of six months.
0 x11 reference
@eversec
Conclusion http://drops.wooyun.org/papers/1418 application logic errors
http://drops.wooyun.org/papers/287 password recover function of possible problem
Password recover function of possible problems (supplement) http://drops.wooyun.org/web/3295
Password recover logical loopholes summarizes the http://drops.wooyun.org/web/5048
Pay three common types, the vulnerability of the strengthening plan at http://zone.wooyun.org/content/878
http://drops.wooyun.org/papers/345 online payment logical loopholes summarized
Common security vulnerabilities and defense financial industry platform http://www.freebuf.com/news/special/61082.html
My way of unauthorized HTTP: / / http://drops.wooyun.org/tips/727
Safety science: watch video to understand Web application security vulnerabilities need internal video (IBM) http://www.freebuf.com/vuls/63426.html