当前位置：网站首页>Zero foundation wants to learn web security, how to get started?

Zero foundation wants to learn web security, how to get started?

2022-06-25 06:27:00 【kali_ Ma】

Want to learn Web Security , How to get started ？

One . Think before you start

1. Do I really like safety ?
2. I want to make money through safety ?
3. I don't know what to do, just casually ?
4. Is it safe to do it all your life

If you don't think about it clearly, it will be very unfavorable to your future development , Instead of blindly learning web Security , Why don't you make a long-term plan first . Otherwise, in my opinion, it's a waste of time .

One . First you have to understand Web

Web Divided into several layers , A picture is worth a thousand words ：

It's true ： If you don't understand these research objects, it's impossible to do a good job in safety research .

So it looks like ,Web There are eight floors （ If you include browsers , On the ninth floor ！ Each layer has dozens of mainstream components ！！！） What should I do ？

One law is universal , This is the horizontal layer , Vertical is Data flow ！ Get the data flow done ： From the horizontal layer , From top to bottom → From bottom to top , Take a closer look at how these data are processed at each layer .

Two , Zero basis web Safety learning program

2.1 HTTP Protocol request (TIME: a week )

 Understand and learn the following knowledge points 
 http Protocol request  
 http Status code               
 post / get  difference

have access to Chrome Browser F12 see “Network” In the tag HTTP Request and response , To get to know HTTP Protocol request .

2.2. dangerous HTTP Header parameters (TIME: a week )

HTTP When requesting, you need to know some necessary parameters , These parameters can also cause serious safety problems, as follows ：

user_agent 
X-Forwarded-For
Referer
clien_ip
Cookie

2.3 Professional term (TIME: One day )

Understand the meaning of the following professional terms

webshell
kitchen knife
0day
SQL Inject
Upload the loopholes
XSS
CSRF
In a word, Trojans

【 One > All resources get < One 】
1、 Network Security Learning Route
2、 electronic text （ amateur ）
3、 Safety factory internal video
4、100 Share src file
5、 Common safety interview questions
6、ctf Analysis of the classic title of the competition
7、 Complete kit
8、 Emergency response notes

2.4 Use of professional hacker tools (TIME: 10 God )

Familiar with penetration testing security tools , Mastering these tools can greatly improve your efficiency in your work .

sqlmap     
Burpsuite  
nmap      
w3af       
nessus  
Appscan 
AWVS

4. Scripting language ＋ Introduction to code audit (TIME: 10 God )

recommend php Don't learn too well , We are not engaged in development , Understand the basic syntax and some dangerous functions, such as ：open exec What loopholes will be caused by such functions , I understand php The dangerous functions in will cause those vulnerabilities, which can be applied to other scripts asp aspx java The dangerous functions of these languages may only be written differently, and the functions are the same , After knowing this, you can do some web The code audit of the vulnerability .

php Introduction learning   
php Code audit

5.Sql injection (TIME: 3 God )

** Zero basis first inject the recommended injection tool in the most effective way sqlmap How to use ？**

If you don't want to stay at the level of using tools , So you need to learn about databases ,mysql sqlserver Just learn an early learning selsct Just go ,php Try to write a script to query the database to understand the manual operation sql Injection principle , This will make rapid progress , If you want to go deeper, you can review all kinds of database Injection . About the technical points to be mastered ：

1\.  Digital injection  
2. Character injection  
3. Search Injection  
4. Blind note (sleep Inject ) 
5.sqlmap Use  
6. Wide byte Injection 
mysql introduction   
Sqlmap     
sleep principle     
 Blind note sleep Function execution sql Injection attack

6.CSRF Cross site requests (TIME: 3 God )

Why does it cause csrf,GET Type and POST type CSRF The difference between , How to defend against the use of token prevent csrf？

7.XSS (TIME: 7 God )

To study xss First, understand the homology strategy ,Javascript You should also study hard , as well as html Entity html The entity's 10 or 16 And javascript Of 8 Into the system and 16 Hexadecimal code ,

xss     
 Hexadecimal code   
 The same-origin policy

8. File upload vulnerability (TIME: 7 God )

Understand the vulnerabilities of the open source editor , How to bypass system detection and upload a sentence Trojan horse
Upload bypass

9 php- long-range / Local File contains (TIME: 10 God )

Go and learn include() include_once() require() require_once() fopen() readfile() these php Function is how to generate File Inclusion Vulnerability , The difference between local inclusion and remote inclusion .
And some skills when using file inclusion, such as ： truncation / false url/ Super long character truncation etc. .

10 php- Command execution (TIME: 3 God )

PHP Common code execution functions in code include ：

eval(), assert(), preg_replace(), call_user_func(), call_user_func_array(),create_function(), array_map() etc. .
Understand the function of these functions, and then figure out how to cause code execution vulnerabilities .

12 ssrf (TIME: 3 God )

1\ understand ssrf Principle , as well as ssrf Hazards of .
2\ssrf What can be done .

When we're doing web The target's internal network cannot be accessed during penetration , So this is the time to use ssrf Loophole , Use the Internet to exist ssrf Of web The site can get the following information .

1. It can be used for external network 、 The intranet where the server is located 、 Local port scan , Get some services banner Information ;

2. Attack an application running on an intranet or local network （ Like spillover ）;

3. On the Intranet web Application for fingerprint identification , By accessing the default file ;

4. Attacking the Internet web application , Mainly used get Parameters can be used to implement the attack （ such as struts2,sqli etc. ）;

5. utilize file Protocol reading local files, etc .

13 Logical loopholes (TIME: 7 God )

Common logic vulnerabilities generally appear in the following places

1. The order amount can be modified arbitrarily －－ Shopping malls often appear 
2. Verification code return  
3. Unauthorized operation , The main reason is not right ID Making parameters cookie Verification leads .
4. There is a design flaw in retrieving the password 
5. Interface unlimited enumeration

14 xee（XML Injection of external entities ） (TIME: 5 God )

When allowed xml When introducing an external entity , By constructing malicious content , Can cause the file to read 、 Command execution 、 Intranet detection and other hazards

15 XPath Inject (TIME: 5 God )

path Injection attack is essentially the same as SQL Injection attacks are similar , Are to enter some malicious query and other code strings , So as to attack the website

16 Server parsing vulnerability

Iis  Parsing vulnerabilities   
nginx  Parsing vulnerabilities  
tomcat  Background upload vulnerability 
jboss  Upload the loopholes

If you master the above vulnerability principles, you can find a job to practice .

# Bonus items - Penetration information collection (TIME: 15 God )#

Sub domain name collection utilize DNS Domain name transmission vulnerability to collect secondary domain names

Liunx The test command is as follows :

Dns The server  1.1.1.1   Test domain name http://wooyun.org
dig @1.1.1.1 http://sechook.org axfr
nmap --script dns-zone-transfer --script-args dns-zone-transfer.domain=http://wooyun.org -p 53 -Pn 1.1.1

Instance query Suning DNS The server

D:\deep>nslookup
 Default server :  localhost
Address:  10.11.0.1
> set type=ns
> http://suning.com
 The server :  localhost
Address:  10.11.0.1
 Non authoritative response :
http://suning.com      nameserver = http://lns1.zdnscloud.info
http://suning.com      nameserver = http://gns2.zdnscloud.net.cn
http://suning.com      nameserver = lns2.zdnscloud.biz
http://suning.com      nameserver = http://gns1.zdnscloud.net
>

Query Suning IP

C:\Users\jack>nslookup http://suning.com
 The server :  localhost
Address:  10.11.0.1
 Non authoritative response :
 name :    http://suning.xdwscache.ourwebcdn.com
Addresses: 203.130.60.48   // Corresponding ip
         203.130.60.49  // Corresponding ip
         203.130.60.50  // Corresponding ip
Aliases:  http://suning.com
http://Suning.com.wscdns.com // Alias

Online secondary domain name blasting website

https://dnsdumpster.com/
Netcraft - Search Web by Domain

Tool to obtain secondary domain name

 Online tools commonly used in penetration testing --SecWiki  project    Reference link 
subDomainsBrute
wydomain 
theHarvester.py 
Fierce
Dig
knock
dnsspider
SubDomainscollect
SubBrute
dirfuzz

Use format ：

     fierce  -dns http://baidu.com -threads 3
     subDomainsBrute.py http://suning.com
     python theHarvester.py -d http://suning.com -l 500 -b baidu -v  Domestic Baidu is looking for more 
     python theHarvester.py -d  Company name  -l 500 -b baidu -v 
     python theHarvester.py -d http://suning.com -l 500 -b google -v Foreign station google many 
     python theHarvester.py -d school -l 1000 -b all   all Use all search engines to search

subDomainsBrute You need to install dependency support

      Error message ：ImportError: No module named dns.resolver
      The libraries to be installed are  dnspython
      pip install dnspython
       No, pip Words ,  It can be used 
      To https://github.com/rthalley/dnspython.git  download 
      cd dnspython
      python setup.py install

Search engine Google New experience :

+  hold google Words that may be ignored, such as query range  
-  Ignore a word 
~  Consent 
.  Single wildcard 
*  wildcard , It can represent more than one letter 
""  Precise query

Code hosting leak information search

Google:

http://andy-game.googlecode.com/svn-history/
Gitbub:   https://github.com/search?utf8=%E2%9C%93&amp;q=%E5%A4%96%E7%BD%91+%E8%B1%86%E7%93%A3&amp;type=Code&amp;ref=searchresults

Mailbox collection

Metasploit Email collection Links 
http://xiao106347.blog.163.com/blog/static/215992078201311300162776/

ip Anti search domain name

http://dns.aizhan.com/58.240.86.229/

Second brother domain name collection

 Query mail server information 
 The goal is IP Address range collection 
 Use the code hosting website to collect target information

determine ip Address range

 scanning c paragraph 
 obtain cdn real ip Address 
 social engineering

3、 ... and 、 Collate notes

I think this is the most important , This is a good habit Let's summarize and consolidate the learned technology again . In the process of summarizing, form your own understanding and innovation of Technology . So as to turn the knowledge in books into their own things .