【 Security test engineer 】 super practical Web penetration test learning route ~

Author: Yun Muqing

Source: Hang Seng LIGHT Cloud Community

preface

This article arranges the learning route, clear, clear focus, can quickly start to practice, I believe that students who want to learn can easily finish learning. It is dry goods, collect ⭐ to see again first. This article partial foundation can let the new people quickly feel the way of *** test, less detours, but also let the learning partners to check the leak to fill the gap, also welcome the big guys in the comments area correct mistakes ~

---

First on the brain

In fact, the safety test needs a very wide range of knowledge, but follow the tutorial to focus on learning or can quickly clarify the thinking of the start of the test, the follow-up can be their own in-depth research, understand the knowledge of these fields.

First we need to understand what a *** test is.

We know that business function, logic test has black box test and white box test, the former program can not be opened as a black box, in the case of the internal structure and internal characteristics of the program completely ignored, in the program interface test, the main test program front show function. The latter covers the logical path in the software by checking the logical structure inside the software, which is mainly used to detect errors in the software coding process.

In terms of software security testing, testing is similar to black box testing, which tests whether the software has security holes by simulating illegal attacks. In addition, code auditing is similar to white box testing and is used to check source code for security defects. Because to ensure the safety and quality of the software needs to run through the entire research and development cycle of the software, into the security industry, we will find that there are many other mechanisms, but this is not the scope of this discussion, we just need to know that *** test is only the final safety and quality acceptance stage.

There are various types of software, such as PC desktop software, mobile phone APP software, and Web software used by browsers. This article is about testing Web software.

This paper is divided into four parts: basic knowledge, tool use, basic loopholes and practice, which can be studied in this order or eaten flexibly. It is recommended that once you have mastered the basics, start using a testing tool, then learn a bug, and immediately try it out.

Finally, the proficiency of this article: Master > in-depth understanding > understanding. Hurry to learn!

First, basic knowledge

To do Web*** testing required knowledge, there is a focus on the division, some know a little. You can go deeper, and of course each of them can be an undergraduate course.

1.1 Information Security (Understanding)

Learning information security is to cultivate the awareness of security, do *** test heart, of course, there should be a standard, know what is safe and what is not safe, some loopholes of the evaluation criteria is not fixed, complex situations need our own judgment.

This course is relatively small, you can go to moOCs to see, generally read “Introduction to Information Security”

www.icourse163.org/search.htm?…

This course can be a low priority in the study plan, are introductory, can be considered to expand the vision, the practical effect is not much. Learn about several elements of information security, attack processes, access control models, other models of information security, and industry standards.

1.2 Cryptography (In-depth understanding)

This is also the content of information security, but the content may sometimes be taken out separately.

Cryptography helps us understand the encryption and transmission of passwords in SSL, HTTPS, and Web applications.

The contents to master are:

Hash algorithm definition, hash algorithm brute force cracking, dictionary cracking and rainbow table.

Symmetric encryption and asymmetric encryption

We do not require to master the specific algorithm, but to understand the encryption process, advantages and disadvantages of various encryption, application scenarios, etc.

In addition to looking for systematic courses, I recommend a popular science video to help you quickly understand.

Security risks in information transmission

Symmetric encryption/asymmetric encryption/mixed encryption

Hash function/message authentication code/replay attack

Digital signature/denial prevention/man-in-the-middle attack

Digital certificate/certificate chain with CA/HTTPS

1.3 Computer Network

Computer network in the Web *** test is undoubtedly the most important foundation, we capture packets, scan the host open other service ports, etc., are based on the network. The Top Down Approach to Computer Networking is an onion peel that explains how the networks we use today are encapsulated layer by layer, with blocking mechanisms in addition to the usual interview questions such as TCP handshakes.

1.3.1 Layered Model (Understanding)

Understand TCP/IP five-tier model and OSI seven-tier model. Understand which protocols are commonly used at which layer, knowing that these protocols are not arbitrarily hierarchical in theory, but have actual encapsulation relationships.

1.3.2 IP and TCP protocol (Master)

Deep understanding of IP LAN and public network, TCP socket, router NAT forwarding, etc. After skilled to know the LAN IP segment, familiar with some common service ports.

Mainly to understand some IPv4 mechanism, for us to deal with some problems in daily theoretical support. For example, we are sure to be able to access the test environment, but if we think there is a vulnerability, we want to control the server to visit our own computer to prove the existence of vulnerability, at this time, if the server is on the public network, and you in a LAN will fail to access.

Recommended videos:

What is the IP address? What is the difference between IPV6 and IPV4? What are public IP and private IP?

By the way, you can also learn about DNS, and dNSlog will be useful later.

【 hardware popular science 】 can QQ but not open web pages? Details DNS service, DNS resolution, DNS hijacking and pollution

1.3.3 HTTP Protocol (Master)

Understand the HTTP packet format, the functions of some common header attributes, and some common status codes. Master various HTTP methods (such as GET, POST, OPTION, TRACE, PUT, and DELETE) and their parameter formats and encodings.

zhuanlan.zhihu.com/p/70949908

www.cnblogs.com/an-wen/p/11…

1.3.4 SSL and HTTPS (In-depth Understanding)

When we find some sensitive information transmitted in plain text, we will require the use of front-end encryption or HTTPS protocol to fix. We need to understand why HTTPS is considered secure. As we get into practice later, we can go back and think, why do we need to import the tool’s certificate into the browser? Why can we still capture packets and see plaintext when the server uses HTTPS?

To understand the relationship between SSL and HTTPS, simply say HTTPS = HTTP + SSL, but SSL technology can also be used to encrypt other communications. And what layer is SSL at in the network hierarchical model, and figure out the sequence of data encapsulation in HTTPS, HTTP, TCP, SSL.

Data: [hardcore] HTTPS principle full resolution

1.4 Web Front End (In-depth understanding)

Mainly learn some HTML and JavaScript, to test XSS vulnerabilities, CSS style we rarely do not involve.

HTML is hypertext Markup Language, just understand that it has tags and attributes that browsers render to render text in simple styles. You don’t need to remember which labels.

JavaScript is the scripting language of the web page, which controls the behavior of the web page. It is a dynamic programming language, flexible and powerful. The script in a cross-site scripting attack is JavaScript. We learn JavaScript not to write front-end, just for testing whether there is a vulnerability in the web page, the focus is to understand what ways can trigger JS code, that is, fancy trigger JS code, we usually use the function alert to prove that JS is triggered.

Common points: script tags, events in all tags, SRC attributes in some tags, and data attributes in href attributes.

Modern JavaScript Tutorials

1.5 Browser Mechanism (Master)

Be familiar with the browser same-origin policy and Web identity authentication

The same origin policy and cookie together support the foundation of web identity authentication.

Same-origin policy of the browser

If you understand cookies, you won’t have to worry about the front end of the interview

1.6 SQL

Basic grammar is required. The mainstream databases are MySQL and Oracle, which have a slightly different syntax.

It is recommended to learn MySQL first and read a book. I recommend “MySQL Must Know Must Know”, a very thin and small book, which can be finished very quickly.

As for Oracle, a few lessons on string concatenation, the corresponding sleep function, etc., should help you cope with SQL injection.

The 1.7 Linux shell

If you hit a point where a command is executed, learn about the one-sentence bounce shell and the backquoted command substitution, where you print a string and replace the backquoted part of the string with the result of its execution. Of course, it is best to use nMAP scan to confirm that it is a Linux machine.

If you want to use Linux command line or operation and maintenance, recommended tutorial:

【 Crazy god said Java】Linux the most easy to understand tutorial Ali Cloud real environment to learn

1.8 Industry Terms

White hat: usually refers to the front of the hat

Payload: Valid attack code

Poc: A vulnerability verification program that can be run to detect if there is a vulnerability. Some verification up tedious, step more loopholes, can write Poc to improve efficiency.

CVE: The Full name is “Common Exposures & Exposures” gm Vulnerabilities were disclosed. CVE is like a dictionary table, giving a common name to widely recognized information security vulnerabilities or weaknesses that have been exposed.

Deserialization: You can think of serialization as the process of outputting a data structure as a string. Deserialization is the process of generating a data structure from a string. In the Java backend, the string is in JSON format and the data structure is a class.

Others may be understood literally, such as weak password, weak password, SMS bombing……

Two, tool use

2.1 BurpSuite

This is our first test tool, in addition to powerful packet capture, replay, brute force cracking, support for plugins and more.

Burpsuite practical Guide

The key is Proxy module and certificate installation, configuration can start to capture packets; The Repeater module is replay, which is simple; “The Intruder module is brute force cracking, sometimes you need a dictionary, but the test proves that brute force cracking usually doesn’t require you to actually find thousands or even hundreds of thousands of dictionaries…

I will only say one tip, is how to eliminate the browser’s own packets, heartbeat messages and other spam interference.

1. In Proxy options, select Don’t send items to Proxy history or live Tasks, if out of scope
2. Add your blacklist URL to the Target’s Scope, Include in Scope, Exclude from Scope, support re, or right-click the packet in the Proxy and add it to Remove from Scope
3. Save the rules and load them automatically at each startup

2.2 netcat

Safety tests in the Swiss army ~ knife, use is generally NC-LVVP

Used to receive the shell as it bounces back, or to receive HTTP requests.

2.3 dnslog

In [1.2.2 IP, TCP protocol (master)](### 1.2.2 IP, TCP Protocol (master)), we mentioned that in some cases we need a public network machine to receive the request from the server under test. If it is a simple HTTP request, we can use dNSlog

If it is a file containing, remote call, then only use the public network host.

2.4 sqlmap

New people can try a tool that automatically detects SQL injection.

Sqlmap: sqlmap.py -r %filepath% sqlmap: sqlmap.py -r %filepath%

www.cnblogs.com/insane-Mr-L…

Parameters are usually appented to specify what to do after successful injection, such as executing system commands, listing database names, and so on.

2.5 Nmap

Mainly used to scan the host open insecure services, and determine the type of operating system (of course, this reference is ok, not determined)

If the GUI is installed, select All TCP Ports for scanning

Third, basic loopholes

To learn and quickly get started on business security issues, I recommend the book “Web*** refers to the business security practical Guide”, this book than recommended before must know must be thick, but in fact not many words, but also very easy to understand, read it won’t take too much time, but can let the reader quickly start to practice.

White Hat: Web Security

In fact, there are many large and small vulnerabilities, and even each CVE can be counted as a vulnerability, but which to cover the test, according to their own situation, you can make a list of tests. Some of the testing techniques and even the steps are fixed, here is a list, you sort out.

• Authentication module and user system

  • Information disclosure
  • Brute force
  • Certification to bypass
  • Login injection

• Configure the secure user system

  • Cookie HttpOnly is not set
  • The insecure HTTP method is enabled. Procedure
  • Host the first attack
  • The URL to jump

• The Session test

• User Rights Management

  • unauthorized
  • Unauthorized access

• Information disclosure

• Download files

• CSRF & ***F

• XXE External entity injection

  • Packet injection
  • Import file injection

• SQL injection

• XSS script injection

• Server command injection

• Logical loopholes

The Open Web Application Security Project (OWASP) is a non-profit organization, It provides unbiased, realistic, and cost-effective information about computer and Internet applications. Its top10 project lists the top10 vulnerabilities on the Web for those interested to study.

Four, the practice

Learned the knowledge to practice, of course, to deepen understanding and memory, but there is no website test how to do? It is not advisable to test the website operating on the public network.

The site we use to practice is called target Drone or Range. We recommend DVWA, a Web service written in PHP that we can build by downloading PHPStudy

DVWA+Phpstudy range platform construction

Once you’ve built it, you can practice it yourself. You can go through it yourself. If you have no idea, you can see the tutorial. Lonehand wrote a series of great tutorials, but they were recently removed from FreeBuf, so check out the handling here:

www.cnblogs.com/linuxsec/ca…