Server and client applications HTTP protocol, as well as running on the server Web applications.
HTTP is a simple generic protocol mechanisms. In Web applications, the entire contents from the browser that receives the HTTP request, can be freely changed at the customer end, tampering, Web application might receive and the server is completely different, was deliberately tampered with the contents.
URL query field or form, HTTP header, Cookit like.
Loaded in the HTTP request packet attack code, you can launch Web application attacks through the URL query fields or form, the header HTTP, Cookit other ways to attack the incoming code, if the code security vulnerabilities, it will be to take the attacker to the management authority and the requested content is changed or acquire.
Active attacks and passive attacks
Active attacks: a server-targeted active attacks
Active attack is when an attacker direct access to Web applications, the attack code passed in attack mode. Since the model is a direct attack against the resources on the server, so the attacker needs to have access to those resources.
Active attack mode typical attack is SQL injection attacks and OS command injection attacks.
SQL injection attacks
The attack is mainly for Web database applications used to run through illegal SQL generated attacks.
Attack mode: When the Web application to data in a database table inside to retrieve, add, or delete operation, use the SQL statement to connect to a database the appropriate action, so if there are loopholes in the calling SQL statement when, it will be malicious injection illegal SQL statement. So we can make the appropriate attack process address bar in the Web section. Such as: the URL, add - in SQL statements - represents the meaning of a comment, part of the content will be commented out, achieve the purpose of attackers.
Aggressive: unauthorized viewing or tampering with the data in the database, to avoid association certification, the implementation of the program and the database server business
OS command injection attacks
The attack is a Web application, performed an illegal operating system commands to achieve the purpose of the attack, as long as the Shell function can call the place where the risk of attack exists.
Attack mode: From the Web application to call the operating system commands by Shell, while Shell if there are loopholes in the call, you can execute OS commands the attacker's illegal, that is, by injecting various OS installed on attacks against OS . Such as sending e-mail to the Advisory injection attacks.
Passive attacks: the passive server is targeted attack
Passive refers to the use of decoy strategy execution exploit code attack mode to attack, in the course of a passive attack, the attacker is not on the target Web application-initiated direct attack, the general methods of attack is to set a trap for users to trigger, users move after HTTP browser will contain exploit code as a request to the target Web application, run the attack code. With this attack the attacker code base, you can steal users' personal information, tampering and other misuse of user information. The attack patterns are connected to the enterprise network will also be attacked.
Passive aggressive attack is a representative cross-site scripting attacks and cross-site request forgery, HTTP header injection attacks.
Cross-site scripting attacks
Attack mode: An attacker scripted set traps, users run on their browser, believe it would be passive aggressive.
Aggressive: cheat by using false personal information input form, use the script to steal Cookit value of the user, an attacker without the knowledge of the situation, to help the attacker sends malicious requests to show forged articles or pictures
XSS is exploited by attackers to trigger pre-set trap passive attacks. Such as: adding a specific script code in the URL to get the registrant's personal login information, the user Cookit theft attack (obtained through Js).
Cross-site request forgery
CSRF, refers to the attacker through the trap set, forces the user authentication has been completed unintended personal information or set up some kind of status updates and other information, are passive attacks. Impact: use has permission to update the information set by the user authentication using user privileges has been certified by the purchase of goods, the use of message boards have been certified speech user rights.
HTTP header injection attacks
The attack mode means that the attacker is insert a line in response header field, add any response to an attack or subject header. A passive attack mode. Add content to the header body attack called HTTP response splitting attacks.
Attack mode: Web applications will sometimes received from the outside of the value assigned to the response header fields Location and Set-Cookit. HTTP header injection by when certain response header field to deal with the output value, insert a line attack.
Aggressive: set any Cookit information, redirect to any URL, display any subject (HTTP response splitting attacks)
1, after the URL is added to% 0D% 0A (HTTP packets in the line breaks), immediately after the attacker to write your own header fields attacker access to information, such as Set-Cookit to get the value of the corresponding Cookit.
2, HTTP response splitting attacks: After two% 0D% 0A side insert string is sent using two consecutive newline can make HTTP headers and the body blank line separating the desired class, so you can display fake body to achieve the purpose of attack. With this attack, the user has triggered the trap will see the fake Web page, let users enter personal information, etc., to achieve the same effect cross-site scripting attacks.
3, cache pollution: Abuse HTTP / 1.1 response back in pooled multiple functions, will lead to the cache server for any content caching, the user cache servers, browsing attack site, it will continue to be replaced in the browser web pages.
Mail header injection attacks
The attack mode refers to Web applications, e-mail transmission function, an attacker by adding any illegal content within the message header or Subject To attack. Exploit security vulnerabilities in Web sites, you can send spam or virus e-mail to any e-mail address.
Attack case: the following data as the attacker initiates a request e-mail address, and then followed by the% 0D% 0A represents a line break in the mail message, after use, it can send an additional mail address, use two consecutive line breaks it is possible to tamper with the contents of the text message and send it. Again in the same way, it is possible to rewrite header To and Subject, etc. of any e-mail, add attachments such action to the text.
Directory traversal attacks
Directory traversal attack is the file directory of the inadvertent disclosure, through illegal truncate its directory path, reaching an attacker access purposes.
Attack mode: When the Web application to handle file operations, by the process in the presence of external vulnerabilities specify the file name, the user can navigate to a relative path absolute path, etc. ../../etc/passed top, so arbitrarily on the server file or directory is possible to be accessed. You can browse to illegal tampering or delete files on a Web server.
Remote File Inclusion Vulnerabilities
The attack mode when the part of the script needs to read the contents from other files, the attacker uses the specified URL to act as an external server dependencies, so that after reading the script, an attacker could run arbitrary script. This is a major security vulnerability exists PHP on the PHP include or require, this feature is one that you can set to specify the external server URL as the file name of the function, but because it is very dangerous, so PHP5.2.0 after the default configuration is invalid.
How would pose a security vulnerability?
Due to defects in the design or set of security vulnerabilities caused
Error set up a Web server, or by a number of design problems caused by security vulnerabilities.
1, forcing the browser
Placed in the public directory from the Web server files, browse those originally involuntary public documents. May disclose customer's personal information, disclosure of user originally needs to have access to view the content of information, disclosure is not connected to the outside of the outer file. Good practice: conceal its URL. Because the display is easy to speculate that the direct file name or file directory index, may cause leakage URL generated by some method.
2, an incorrect error message handling
Web applications within the error message contains an attacker useful information are: Web application error message thrown, thrown database system error information.
Web application error message thrown: the authentication error message authentication function, for example, to explain the incorrect error message handling. Similar to when a user login fails to alert the user when the specific registration information, an attacker can use this information to confirm whether the user is registered. It recommended that the alert message content is only retained in the authentication error such a degree.
Error message thrown database systems: input unexpected error message indicating that the wrong database. An attacker reminder message read out from the database of choice is MySQL database and other information that may provide inspiration to SQL injection attacks.
3, open redirects
For any specified URL redirection do jump function to the specified URL to redirect to a malicious Web site, the user will be induced to that site. Such as http: // example / redirect = *** attacker to specify the redirect parameters can be rewritten as a good Web site has been set corresponding connection?. Phishing attacks may be used as a springboard.
Because session management vulnerabilities caused by negligence
If negligence on the session management, user authentication can lead to theft of state and other consequences. Such as session hijacking (session ID to get the user through a number of means to camouflage the user to achieve the effect of attacks), session fixation attacks (an attacker to force users to use the specified session ID, a passive attack) and other means.