当前位置:网站首页>Complete Guide to web application penetration testing
Complete Guide to web application penetration testing
2022-06-24 17:50:00 【Software test network】
The author 丨 Ariaa Reeds
Translator Qiu Kai
Planning sun Shujuan
If you are Web Security experts 、Web Penetration test engineer or Web Application Developer , So this article is tailored for you . This article will provide guidance from three aspects : First , Help you learn Web Apply penetration testing techniques , And learn about relevant tools ; secondly , Tell you how to be in Web Find and test vulnerabilities in the application ; Last , Guide you through Web Application of penetration testing technology to improve Web Security of application .
Web Apply penetration testing
Web Application of penetration testing is a means of identification and prevention Web Apply the approach to security issues .Web Penetration test engineers based on their own understanding of vulnerability and penetration test technology , Follow the scientific penetration test process , Use penetration testing tools to identify Web Security risks in applications , These security risks are likely to be maliciously exploited by hackers or other unauthorized personnel .
Web The application is designed for Web Server design and development program , for example Internet information service (IIS)、Apache Tomcat etc. .Web The application has a wide range of usage scenarios , It can be a simple text-based calculator , It can also be similar to Amazon (Amazon) The same complex e-commerce system . These e-commerce systems also run authentication systems 、 database 、 Websites and many other different services .
To complete a valid Web Apply penetration testing tasks , You need to have a wealth of Web Apply technical knowledge , for example Web The server 、Web Framework and Application Web programing language .
Web Advantages of applying penetration testing
Web The application of penetration testing is to detect Web The most effective way to apply vulnerabilities and security issues . adopt Web Apply penetration testing , Able to judge Web Whether the application is vulnerable , This usually represents Web The application has vulnerabilities that can be maliciously exploited by hackers or unauthorized personnel . In a safe environment Web Application for penetration testing , It can avoid production system downtime caused by penetration test . This helps to detect before user data is corrupted Web Application security issues , Give us enough time to fix the vulnerability .Web Applying penetration testing can help Web Security experts know Web How the application works 、Web The technical implementation of the application and the Web Application vulnerability type . These can help you better understand Web Application attack surface , In order to develop and implement effective safety measures .
How to develop Web Apply penetration testing work
Web Security experts use a variety of tools and techniques in their areas of responsibility Web Perform penetration test task on Application . They also make custom test cases , Used to simulate the real world of Web Attacks using targets .
Web Apply penetration test process
Understand the working principle of target application ( for example : What technologies are used in the target application ). Use automatic or manual tools to scan the target application , Looking for client code ( for example Javascript、Flash object 、Cookie etc. ) A loophole in the , When a vulnerability is found , Try to exploit this vulnerability , In order to find the root cause of the vulnerability , Then try to fix it as much as possible .
Web What penetration testers usually do
- Traverse Web Application directory and Web The server ;
- Judge the target application and its technical implementation ( The server 、 Technical framework ) And programming languages ;
- Use Burp Suite or Acunetix And other tools for manual penetration testing , To discover the client code ( for example Javascript、Flash Object etc. ) A loophole in the ;
- Use Netsparker or HP Web Inspect And other automated tools to scan and identify Web Known vulnerabilities in servers and related technical frameworks . What the penetration tester found during the manual test phase Web Application vulnerability , You can also use automated tools to attack ;
If necessary, , Yes Web Application for source code analysis , In order to be in Web The application is deployed to Web Before server , Fix security issues by adding incoming data filters .
Web Apply penetration testing tools
There are many open source and commercial Web The application security assessment tool can use , for example :
- Acunetix WVS/WVS11;
- Netsparker Web Scanner;
- IBM Rational Appscan Standard Edition;
- HP Web Inspect Professional;
- Paros Proxy etc.
Compared with automation technology , Do it manually Web Applying penetration testing tasks is still a good choice , Because it can provide more flexibility in testing . Do it manually Web The application security assessment consists of several steps , According to your test purpose ( For example, exploit vulnerabilities ), These steps can cover the whole process from information collection to vulnerability exploitation .
How to execute Web Apply penetration testing tasks
Be clear about Web After applying the safety assessment objectives , The first thing to do is to collect information . You need to collect as much target application information as possible , This will help plan the next phase of penetration testing tasks . For example, identify all systems that provide public services , Software platform used for target application, etc . take Web Application name or technology implementation as custom keyword , stay Google、LinkedIn Or other effective online social networking sites to collect information , After that , You should also search for and download information that contains sensitive information ( For example, user name and password ) Of Web Application files .
Now? , adopt Web Application source code or other effective online resources , Analyze the technical implementation used in the target application . This is a very important step , Because this information will help us plan the penetration test task in the next stage .
If you use automated tools to collect information , Then it will be particularly important to analyze the technical implementation of target application , Because such tools can only detect based on specific Web Vulnerabilities in application frameworks and programming languages , Unable to effectively identify all vulnerability information .
We always recommend that you go from the outside to the inside ( namely , Take the system that provides public services as the starting point for testing ) Perform penetration testing tasks in a way , This will help us understand the attack methods used from the attacker's point of view 、 Attack technology and attack path , A more comprehensive analysis Web Application exposed attack surface .
How to improve Web The effect of applying the penetration test
At the beginning Web Before applying the penetration test task , A lot of planning and preparation needs to be done . You need to be aware of Web Applications are very complex systems , It is a combination of many technical implementations , for example Web The server /Web application server 、Web Application framework or programming language, etc , Therefore, it is very important to determine which technologies are used in the target application .
Some tools only support specific types of Web Apply technology to detect , for example :
Paros Support detection by PHP Application of technology development , Based on is not supported ASP Application of technology development ;
Acunetix WVS It can automatically identify the operation in Windows Application service category on the server ( namely Apache perhaps IIS), And in the Linux Environment , You need to manually configure the application service category in the initialization phase , This is because Acunetix WVS Can be in Windows Automatic detection in the environment , But in Linux In the environment, automatic detection is not possible .
Translator introduction
Qiu Kai ,51CTO Community editor , At present, he works for Beijing Express Co., Ltd , The position is information security engineer . Mainly responsible for the company's information security planning and construction ( Equal insurance ,ISO27001), The main contents of daily work are the formulation and implementation of safety plan 、 Internal safety audit and risk assessment and management .
Original title :The Complete Guide to Web Application Penetration Testing, author :Ariaa Reeds
Link to the original text :
https://readwrite.com/2022/01/02/the-complete-guide-to-web-application-penetration-testing/
边栏推荐
- March 27, 2021: give you a head node of the linked list, and rotate the linked list
- Go language GC implementation principle and source code analysis
- [2021 taac & Ti-One] FAQs related to preliminary round computing resources
- Welcome to the network security threat information sharing program
- "Competition" and "opportunity" hidden in security operation in the cloud Era
- How much does it cost to develop a small adoption program similar to QQ farm?
- [DB Bao 45] MySQL highly available mgr+consult architecture deployment
- EasyGBS视频平台TCP主动模式拉流异常情况修复
- Implementation of pure three-layer container network based on BGP
- Easynvr fails to use onvif to detect the device. What is the reason why "no data" is displayed?
猜你喜欢
How to select the best test cases for automation?
It is often blocked by R & D and operation? You need to master the 8 steps before realizing the requirements
LC 300. Longest increasing subsequence
Five skills of selecting embedded programming language
The country has made a move! Launch network security review on HowNet
How to decompile APK files
How can programmers reduce bugs in development?
Etching process flow for PCB fabrication
About swagger
Using flex to implement common layouts
随机推荐
Quick view of product trends in February 2021
Live broadcast Preview - on April 1, I made an appointment with you to explore tcapulusdb with Tencent cloud
You don't know about this inspection platform. It's a big loss!
Leveldb source code analysis -- writing data
Users of the Tiktok open platform are authorized to obtain the user's fan statistics and short video data
Design topic: MATLAB cellular automata personnel evacuation
Using consistent hash algorithm in Presto to enhance the data cache locality of dynamic clusters
This time, talk about the dry goods of industrial Internet | TVP technology closed door meeting
Noi Mathematics: solution of quadratic congruence equation
Provide secure and convenient Oracle solutions for smart contract developers
Realize business development on behalf of small programs, and 99% restore the function of service category management in the background of official account
Yum to install warning:xxx: header V3 dsa/sha1 signature, key ID 5072e1f5: nokey
Issue 003 how to detect whether a sticky positioned element is in a pinned state
Software testing methods: a short guide to quality assurance (QA) models
Using easyjson to improve the efficiency of serialization transmission
How to select the best test cases for automation?
Solutions for RTSP video streaming played by several browsers
Meituan financial report: making money while burning money
Six configuration management tools that administrators must know
"Competition" and "opportunity" hidden in security operation in the cloud Era