当前位置:网站首页>Complete Guide to web application penetration testing
Complete Guide to web application penetration testing
2022-06-24 17:50:00 【Software test network】
The author 丨 Ariaa Reeds
Translator Qiu Kai
Planning sun Shujuan
If you are Web Security experts 、Web Penetration test engineer or Web Application Developer , So this article is tailored for you . This article will provide guidance from three aspects : First , Help you learn Web Apply penetration testing techniques , And learn about relevant tools ; secondly , Tell you how to be in Web Find and test vulnerabilities in the application ; Last , Guide you through Web Application of penetration testing technology to improve Web Security of application .
Web Apply penetration testing
Web Application of penetration testing is a means of identification and prevention Web Apply the approach to security issues .Web Penetration test engineers based on their own understanding of vulnerability and penetration test technology , Follow the scientific penetration test process , Use penetration testing tools to identify Web Security risks in applications , These security risks are likely to be maliciously exploited by hackers or other unauthorized personnel .
Web The application is designed for Web Server design and development program , for example Internet information service (IIS)、Apache Tomcat etc. .Web The application has a wide range of usage scenarios , It can be a simple text-based calculator , It can also be similar to Amazon (Amazon) The same complex e-commerce system . These e-commerce systems also run authentication systems 、 database 、 Websites and many other different services .
To complete a valid Web Apply penetration testing tasks , You need to have a wealth of Web Apply technical knowledge , for example Web The server 、Web Framework and Application Web programing language .
Web Advantages of applying penetration testing
Web The application of penetration testing is to detect Web The most effective way to apply vulnerabilities and security issues . adopt Web Apply penetration testing , Able to judge Web Whether the application is vulnerable , This usually represents Web The application has vulnerabilities that can be maliciously exploited by hackers or unauthorized personnel . In a safe environment Web Application for penetration testing , It can avoid production system downtime caused by penetration test . This helps to detect before user data is corrupted Web Application security issues , Give us enough time to fix the vulnerability .Web Applying penetration testing can help Web Security experts know Web How the application works 、Web The technical implementation of the application and the Web Application vulnerability type . These can help you better understand Web Application attack surface , In order to develop and implement effective safety measures .
How to develop Web Apply penetration testing work
Web Security experts use a variety of tools and techniques in their areas of responsibility Web Perform penetration test task on Application . They also make custom test cases , Used to simulate the real world of Web Attacks using targets .
Web Apply penetration test process
Understand the working principle of target application ( for example : What technologies are used in the target application ). Use automatic or manual tools to scan the target application , Looking for client code ( for example Javascript、Flash object 、Cookie etc. ) A loophole in the , When a vulnerability is found , Try to exploit this vulnerability , In order to find the root cause of the vulnerability , Then try to fix it as much as possible .
Web What penetration testers usually do
- Traverse Web Application directory and Web The server ;
- Judge the target application and its technical implementation ( The server 、 Technical framework ) And programming languages ;
- Use Burp Suite or Acunetix And other tools for manual penetration testing , To discover the client code ( for example Javascript、Flash Object etc. ) A loophole in the ;
- Use Netsparker or HP Web Inspect And other automated tools to scan and identify Web Known vulnerabilities in servers and related technical frameworks . What the penetration tester found during the manual test phase Web Application vulnerability , You can also use automated tools to attack ;
If necessary, , Yes Web Application for source code analysis , In order to be in Web The application is deployed to Web Before server , Fix security issues by adding incoming data filters .
Web Apply penetration testing tools
There are many open source and commercial Web The application security assessment tool can use , for example :
- Acunetix WVS/WVS11;
- Netsparker Web Scanner;
- IBM Rational Appscan Standard Edition;
- HP Web Inspect Professional;
- Paros Proxy etc.
Compared with automation technology , Do it manually Web Applying penetration testing tasks is still a good choice , Because it can provide more flexibility in testing . Do it manually Web The application security assessment consists of several steps , According to your test purpose ( For example, exploit vulnerabilities ), These steps can cover the whole process from information collection to vulnerability exploitation .
How to execute Web Apply penetration testing tasks
Be clear about Web After applying the safety assessment objectives , The first thing to do is to collect information . You need to collect as much target application information as possible , This will help plan the next phase of penetration testing tasks . For example, identify all systems that provide public services , Software platform used for target application, etc . take Web Application name or technology implementation as custom keyword , stay Google、LinkedIn Or other effective online social networking sites to collect information , After that , You should also search for and download information that contains sensitive information ( For example, user name and password ) Of Web Application files .
Now? , adopt Web Application source code or other effective online resources , Analyze the technical implementation used in the target application . This is a very important step , Because this information will help us plan the penetration test task in the next stage .
If you use automated tools to collect information , Then it will be particularly important to analyze the technical implementation of target application , Because such tools can only detect based on specific Web Vulnerabilities in application frameworks and programming languages , Unable to effectively identify all vulnerability information .
We always recommend that you go from the outside to the inside ( namely , Take the system that provides public services as the starting point for testing ) Perform penetration testing tasks in a way , This will help us understand the attack methods used from the attacker's point of view 、 Attack technology and attack path , A more comprehensive analysis Web Application exposed attack surface .
How to improve Web The effect of applying the penetration test
At the beginning Web Before applying the penetration test task , A lot of planning and preparation needs to be done . You need to be aware of Web Applications are very complex systems , It is a combination of many technical implementations , for example Web The server /Web application server 、Web Application framework or programming language, etc , Therefore, it is very important to determine which technologies are used in the target application .
Some tools only support specific types of Web Apply technology to detect , for example :
Paros Support detection by PHP Application of technology development , Based on is not supported ASP Application of technology development ;
Acunetix WVS It can automatically identify the operation in Windows Application service category on the server ( namely Apache perhaps IIS), And in the Linux Environment , You need to manually configure the application service category in the initialization phase , This is because Acunetix WVS Can be in Windows Automatic detection in the environment , But in Linux In the environment, automatic detection is not possible .
Translator introduction
Qiu Kai ,51CTO Community editor , At present, he works for Beijing Express Co., Ltd , The position is information security engineer . Mainly responsible for the company's information security planning and construction ( Equal insurance ,ISO27001), The main contents of daily work are the formulation and implementation of safety plan 、 Internal safety audit and risk assessment and management .
Original title :The Complete Guide to Web Application Penetration Testing, author :Ariaa Reeds
Link to the original text :
https://readwrite.com/2022/01/02/the-complete-guide-to-web-application-penetration-testing/
边栏推荐
- 视频平台如何将旧数据库导入到新数据库?
- QQ domain name detection API interface sharing (with internal access automatic jump PHP code)
- Easyplayer streaming media player plays HLS video. Technical optimization of slow starting speed
- Continue to help enterprises' digital transformation -tce has obtained the certification of the first batch of digital trusted service platforms in China
- When the game meets NFT, is it "chicken ribs" or "chicken legs"?
- Overall planning and construction method of digital transformation
- Go collaboration and pipeline to realize asynchronous batch consumption scheduling task
- [2021 taac & Ti-One] frequently asked questions related to the notebook function
- Quickly build MySQL million level test data
- How to troubleshoot and solve the problem that the ultra-low delay security live broadcast system webrtc client plays no audio in the browser?
猜你喜欢
How to select the best test cases for automation?
NVM download, installation and use
Constantly changing the emergency dialing of harmonyos ETS during the new year
C language - structure II
Five skills of selecting embedded programming language
The 'ng' entry cannot be recognized as the name of a cmdlet, function, script file, or runnable program. Check the spelling of the name. If you include a path, make sure the path is correct, and then
High quality defect analysis: let yourself write fewer bugs
Ten software development indicators for project managers
国家出手了!对知网启动网络安全审查
Etching process flow for PCB fabrication
随机推荐
Easygbs video platform TCP active mode streaming exception repair
浅谈云流送多人交互技术原理
How much does it cost to develop a small adoption program similar to QQ farm?
Redis source code analysis RDB
Digital trend analysis of B2B e-commerce market mode and trading capacity in electronic components industry
High quality defect analysis: let yourself write fewer bugs
Can the money invested in financial products be withdrawn at any time?
[can you really use es] Introduction to es Basics (I)
C language | printf output function
专有云TCE COS新一代存储引擎YottaStore介绍
Open up the construction of enterprise digital procurement, and establish a new and efficient service mode for raw material enterprises
Zabix5.0-0 - agent2 monitoring MariaDB database (Linux based)
QQ domain name detection API interface sharing (with internal access automatic jump PHP code)
Using consistent hash algorithm in Presto to enhance the data cache locality of dynamic clusters
On N handshakes and M waves of TCP
CentOS 7 installing SQL server2017 (Linux)
Five skills of selecting embedded programming language
13 skills necessary for a competent QA Manager
Redpacketframe and openmode packages
Leetcode topic [array] -46- full arrangement