Basic process of web security penetration test

1） Determine scope ： The scope of the test , Such as ：IP、 domain name 、 Intranet and extranet 、 site or Some modules .

2） Set the rules ： To what extent can it penetrate （ Until the vulnerability is found or Continue to exploit vulnerabilities ）、 The time limit 、 Can you modify the upload 、 Can the right be raised ...

· Introduction to the target system 、 Key protected objects and characteristics .

·  Whether data corruption is allowed ？

·  Whether it is allowed to block the normal operation of the business ？

·  Whether the contact person of relevant department should be informed before the test ？

·  Access mode ？ Extranet and Intranet ？

·  Testing is to find problems, even if you succeed , Or find as many problems as possible ？

·  Whether social engineering needs to be considered in the infiltration process ？

3） Determining demand ：
    web Application vulnerabilities ( New online program )？                              
     Business logic loopholes （ Business specific ）？                              
     Human rights management loopholes （ For people 、 jurisdiction ）？                              
     According to the needs and their own technical ability to determine whether they can do 、 How much can be done .

2. Analyze the risks

Obtain authorization to analyze possible risks during penetration testing , Such as the processing of a large number of test data 、 Affect the normal business development 、 An abnormal emergency occurred on the server 、 Data backup and recovery 、 Testing human and material costs ... The tester shall write the first draft of the implementation scheme and submit it to the customer （or Internal leaders of the company ） Review . After the audit , From customers （or Internal leaders of the company ） Obtain a written power of attorney for the tester , Authorize the testing party to conduct penetration test .

3. Information collection at the information collection stage

We need to collect as much information as possible about the goal web Various information of the application , such as ： The type of scripting language 、 The type of server 、 The structure of the directory 、 Open source software used 、 Database type 、 All linked pages , The framework used . The way ： Active scanning ; Open search Open Search ： Use search engines to get background information 、 Unauthorized page 、 sensitive url.

4. Leak detection （ Manual & Automatically ）

Use the information listed in the previous step , Use appropriate vulnerability detection .

Method ：1） Leakage and ：AWVS、AppScan...2） Combine the loopholes exploit-db Wait for a place to use 3） Looking for verification online POC.

Content ： System FLAW ： The system was not patched in time Websever Loophole ：Websever Configuration problem Web Application vulnerability ：Web Application development problems and other port service vulnerabilities ： Various 21/8080(st2)/7001/22/3389 Communication security ： Plaintext transmission ,token stay cookie Medium transmission, etc .

5. Vulnerability verification

Verify all the vulnerabilities found in the previous step that may be exploited successfully . According to the actual situation , Build a simulation environment to test , Apply it to the target after success .

· Automated verification ： Combined with the results of automated scanning tools

·  Manual verification ： Verify against public resources

·  Test verification ： Build your own environment for validation

·  Log in and guess ： Sometimes you can try to guess the login account password and other information

·  Business vulnerability verification ： If business loopholes are found , To verify

·  Open use of resources exploit-db/wooyun/ Penetration code website general 、 Default password, vulnerability warning of the manufacturer, etc

6. Information analysis

Prepare for the next step of penetration ：

Precision attack ： Be prepared for the vulnerabilities detected in the previous step exp（ Exploit ）, For precision attack .

Bypass the defense mechanism ： Whether there are firewalls and other devices , How to bypass the .

Custom attack path ： The best tool path , According to the weak entrance , High intranet permission location , ultimate objective .

Bypass detection mechanism ： Is there a detection mechanism , Traffic monitoring , Antivirus software , Malicious code detection, etc （ No killing ）.

Attack code ： After testing the code , Including but not limited to xss Code ,sql Injection statements, etc .

7. Exploit loopholes , get data

Attack ： According to the results of the previous steps , The attack .

Get internal information ： infrastructure （ network connections ,vpn, route , Topology, etc ）.

To penetrate further ： Intranet intrusion , Sensitive targets .

Persistence ： Generally, there is no need to penetrate customers .rookit, back door , Add management account , Garrison tactics, etc .

Clean up traces ： Clean up the relevant logs （ visit , operation ）, Upload files, etc .

8. Information sorting

Sort out the penetration tools ： Sort out the code used in the infiltration process ,poc,exp etc. .

Organize and collect information ： Sort out all the information collected during the infiltration process .

Sort out vulnerability information ： Sort out all kinds of loopholes in the process of infiltration , All kinds of fragile location information .

Purpose ： For the final report , Form test results using .

9. Form a report

Organize as needed ： Follow the first step to determine the scope with the customer , Need to sort out the data , And report the data .

Supplementary introduction ： We need to understand the causes of the loopholes , Verification process and hazard analysis .

Repair suggestions ： Of course, we should put forward reasonable, efficient and safe solutions to all the problems .