Website vulnerability repair service provider's analysis of unauthorized vulnerability

There are unauthorized loopholes in the website. First of all, let's talk about what are the key controllable parameters, that is to say, like some of our key parameters, for example, use ID order by ID are some key parameters, which must be controlled by a tester like you.If this parameter has been hijacked, or he has a fixed value.At this time, it is not called a controllable parameter.The key is that your changes must be able to cause this overriding effect called a key parameter.We must quickly locate this key and controllable parameter, so that we can find the corresponding unauthorized vulnerability more quickly.

What does the principle of adhering to the same change and control of parameters mentioned later mean, because we may have multiple in a request messagevariables, or in this case of multiple parameters.Then we generally consider changing one parameter first, and the other parameters do not change.Let's take a look at the changes in this response information.Then if the situation you want does not appear, you can consider changing another variable, that is, changing two variables, and then until all variables are changed, or some variables are deleted, which is called our sameChange the same control principle.

Here we can see that other variables are kept unchanged, and key variables are changed or changed at the same time. After listening to me, you may think that these are conceptsSex, you may feel very confused, so let's take a look at an example to explain.Before looking at the example, I almost forgot to mention how we find this key variable, but let's take a look at such a parameter.First of all, I classify it as the ID of the user's identity, a unique identifier given to the user by the main network in it, through which the user's identity can be determined, such as your mobile phone number, ID number, or yourThe ID number and user ID are all unique, because if you think about a website, the user name you registered will definitely not be repeated, because it is written into the database, it will definitely educate you whether this user exists or not,If there is, you don't need to continue to register, so the user ID is also their only such a parameter that identifies his identity. This is used to identify the user identity of our user in the website.called user identity.

The second one is called the user attribute ID, which is the attribute ID generated by the user when using the website, for exampleWhen he places an order, will he have this order number, or if it can modify some of its data when it opens the personal center, there may be changes in the value of some parameters.Also what address ID.Record number ID.These can be understood as such an ID matured by his identity, or its attributes, such as whether our human attributes can think, run, sing, and swim.It is this attribute of our people, and the user attribute ID here is the attribute aid that is generated according to a certain type of operation we are performing.

Let's see, horizontal override is based on identity ID, etc.Seeing this example, we can see that here, we see this key parameter, it is the get method, the get method we will target or focus on its URL, because we all know the parametersThe value is placed on this URL, and our post method is placed in the request body, which must be distinguished.We see that there are only two parameters here. How do we determine which is the key parameter? We can use one of its semantics. Most programmers follow the concept of semantics when writing code, becauseMany programmers only think about how to implement functions and ignore security vulnerabilities when writing code. Therefore, it is recommended that if there are vulnerabilities such as unauthorized access to the website, the website vulnerability repair service provider SINE Security can check it.