1 What is security testing <br>Security testing is a software testing that finds vulnerabilities, threats, risks in software applications and prevents malicious attacks from intruders. The purpose of security testing is to identify all possible vulnerabilities and weaknesses of a software system that could lead to loss of information, revenue, reputational damage to an organization's employees or outsiders.
The goal of security testing is to identify threats in a system and measure its potential vulnerabilities so that the system does not stop functioning or be exploited. It also helps to detect all possible security risks in the system and helps developers solve these problems through coding.
1.1 Security Testing Initiative Confidentiality - It prevents disclosure of information to unintended recipients.
Integrity - It allows accurate and correct transmission of required information from the sender to the intended recipient.
Authentication - Verifies and confirms the user's identity.
Authorization − It specifies access rights to users and resources.
Availability - Information to ensure readiness.
Non-repudiation - It ensures that the sender or receiver will not refuse to send or receive a message.
1.2 Common Security Vulnerabilities
1.2.1 Explanation of SQL injection attack terms: SQL injection attack (SQL Injection), referred to as injection attack, SQL injection, is widely used to illegally obtain website control rights, and is a security vulnerability that occurs in the database layer of the application. When designing the program, ignoring the checking of the SQL commands entrained in the input string, the database mistakenly thinks it is a normal SQL command and runs, thus the database is attacked, which may lead to data being stolen, changed, deleted, or even executed. System commands, etc., and further cause the website to be embedded with malicious code, implanted with backdoor programs and other hazards.
1.2.2 File upload noun analysis: File upload vulnerability refers to the fact that the program code does not strictly analyze and check the files submitted by the user, so that the attacker can upload the executable code file to obtain the control authority of the Web application (Getshell) .
1.2.3 Permission Vulnerability Noun Analysis: Access control refers to the permission control of all user access to the system, usually including horizontal permissions and vertical permissions. Access control issues are logical vulnerabilities that may occur in all business systems, and are difficult to scan or protect with routine security tools, often resulting in a large number of user data leakage incidents.
Horizontal ultra-authority: problems between users of the same authority (role) level, such as user A can access user B's data without authorization.
Vertical override: problems between users with different permission (role) levels, for example, ordinary users can perform management operations without authorization, and users who are not logged in can access applications that require authorization.
1.2.4 Brute-force cracking noun analysis: Brute-force cracking means that the attacker initiates a large number of requests to the target through traversal or dictionary, and finds the correct verification information by judging the characteristics of the returned data packets, thereby bypassing the verification mechanism. As the databases of many websites on the Internet are leaked, the samples selected by attackers can be more targeted, and the success rate of brute force cracking is also rising.
1.2.5 Definition of Denial of Service Attacks: Denial of Service attacks (DoS, Denial of Service) are attacks that use reasonable requests to overload resources and make services unavailable. It is divided into attacks against the Web application layer and attacks against the client/APP.
1.2.6 Sensitive information leakage noun analysis: Sensitive information leakage refers to a vulnerability that includes user information, enterprise employee information, internal data and other data that should not be externally accessed through websites, interfaces, external storage, etc. . Information leakage vulnerabilities can lead to malicious use of a large number of user or enterprise information, fraud, account theft, etc., which will bring serious adverse effects to users and enterprises. And once the information is leaked, the impact will be difficult to eliminate.
1.2.7 Noun Analysis of Business Logic Vulnerabilities: Business logic loopholes refer to the loopholes in the process or logic caused by the incomplete consideration of business design. , the attacker can use the interface to send text messages without restrictions, maliciously consume the company's SMS tariffs, and harass users. Because business logic vulnerabilities are closely related to business problems, conventional security equipment cannot effectively detect them, and most of them need to be manually analyzed and detected based on business scenarios and characteristics.
1.2.8 Cross Site Scripting (XSS)
Noun Analysis: Cross Site Scripting (XSS, Cross Site Script) usually refers to an attack in which hackers tamper with web pages through "HTML injection" and insert malicious scripts, thereby controlling users' browsers when users browse web pages. XSS vulnerabilities can be used for user identity theft (especially administrators), behavior hijacking, bots, worms, phishing, etc. XSS is currently the most important vulnerability in client-side web security.
XSS can be divided into the following three types according to the effect.
Reflected XSS attack: The page only echoes the user input directly in the page or source code, and it needs to induce the user to click to succeed.
Stored XSS attack: The XSS attack code will be stored in the server. Since users may actively browse the attacked page, this method is more harmful.
DOM-type XSS attack: XSS is formed by modifying the DOM nodes of the page, which can also be classified as reflection-type XSS strictly speaking.
1.2.9 Cross-Site Request Forgery (CSRF)
Noun Resolution: Cross Site Request Forgery (CSRF, Cross Site Request Forgery). Since all parameters of important operations can be guessed by attackers, attackers can forge requests and use user identities to complete attack operations, such as publishing articles, purchasing goods, transferring funds, modifying data and even passwords.
2 Why do security testing <br> Mention security. One of our products and a website most needs to strengthen the security protection is the database. Then if there is a lack of security testing, your database will gradually be exposed to hackers under the blind SQL of masters. Whether it is database type, table structure, field name or detailed user information, there are countless means. It can be "unobstructed".
2.1 Permissions Websites generally stipulate what kind of users can do what. For example, moderators can modify everyone's posts, while your ordinary users can only edit their own posts, and tourists can only read everyone's posts. That's simple permissions. If there is no security guarantee, then it is easy for someone to jump out of the authority to do things he should not do.
2.2 Modifying the submitted data information For example, a payment mall, if the submitted price is captured by capturing the package, the package can be passed after modification and re-send. To put it simply, it is something that was originally bought for 100 yuan, and it can be successfully purchased by changing the grab bag to 1 yuan. This has become a huge hidden danger.
2.3 Security risks similar to cross-site scripting
HTML injection. All HTML injection paradigms just inject a JavaScript popup alert box: alert(1).
Do bad things. If the alert box isn't exciting enough for you, there are all sorts of malicious things an attacker can do when a victim clicks a link to a page that has been injected with HTML code.
Trapping the victim, possibly redirecting to another phishing site or something, making them suffer losses.
2.4 Verification of sensitive words For example, a website or app of a government department can enter some problems that violate the current system and the vocabulary of some leaders. This impact is very large, so we must avoid these impacts.
3 How to do security testing <br>Security testing is a process in the life cycle of IT software products, especially the product development is basically completed to the release stage, the product is inspected to verify that the product conforms to the definition of security requirements and product quality standards. That said, security testing runs through the entire life cycle of the software. The following is a diagram to describe the security testing of each stage of the software life cycle, as shown in the following figure.
Risk analysis, static analysis, and penetration testing in the above figure all belong to the category of security testing. Compared with ordinary testing, security testing needs to change the perspective and change the objects simulated in the test. The following is a comparison of the differences between conventional testing and security testing from the following dimensions.
3.1 Different test objectives Common tests aim at finding bugs; security tests aim at discovering potential safety hazards.
3.2 Different Assumptions Ordinary testing assumes that the data causing the problem is caused by the user's carelessness, and the interface generally only considers the user interface; the security test assumes that the data causing the problem is deliberately constructed by the attacker, and all possible attack methods need to be considered.
3.3 Different thinking domains Ordinary testing takes the functions of the system as the thinking domain; the thinking domain of security testing includes not only the functions of the system, but also the system's mechanism, external environment, application and data security risks and security attributes.
3.4 Different problem discovery modes Ordinary tests are based on violation of function definitions; security tests are based on violation of authority and capability constraints.
4 Summary at work
4.1 Sensitive word verification steps:
Input and search for sensitive words in small programs, h5, and official websites with input boxes.
Small program verification:
Official website verification:
Verify whether sensitive words are intercepted. If intercepted, it is normal. If it cannot be intercepted, there is a security problem.
4.2 Clear text transmission Check the sensitive content in the system transmission process is plain text & cipher text, and designed modules: login, payment, registered mobile phone number, ID card, mailbox.
step:
Capture packets in scenarios where sensitive information is transmitted.
Analyze whether relevant sensitive fields in its data packets are clear text.
For example, the mobile phone number, landline number, and name in the interface are all plaintext:
4.3 Unauthorized access test Whether the administrator and other user information can be directly obtained through the url.
step:
Check whether there are sensitive directories such as admin/user/system/pwd in the URL.
When there are multiple administrators with different permissions in the system, check whether the administrators with lower permissions can access the resources managed by higher permissions.
When there are multiple users who need to log in in the system, use user A to log in, record the url of the browsed personal resources and the operations of modifying and deleting; after logging out of user A, log in to user B, and use the recorded url to directly access to see if it is possible The access is successful or the operation is successful.
4.4 Whether the illegal injection test system filters and transfers the input, the designed modules: search box, input box, remark information, upload file, URL, input box, remark information.
step:
After the URL address of the system, enter the test statement: ; to see if there will be a pop-up box displayed.
Enter the test statement in the search box, input box, and remarks: ; see if there will be a pop-up box displayed.
The official website verification is as follows:
4.4.1 Uploading files
step:
In the uploaded file, enter: , the file name is test.
Click Upload to view the upload interface, change the uploaded file name to an html file, and then access the file. If it can be accessed, there is a problem. If it cannot be accessed, it is normal.
4.4.2 File Download
step:
Click File Download to view the file download interface and record it.
Modify the file download interface, such as xxxxx download interface /../ to jump to the path and try to download files in other directories to see if they can be downloaded normally. If they can be downloaded, there is a problem. If they cannot be downloaded, it is normal.
4.5 Modules involved in SMS and email verification: related scenarios that trigger SMS and email verification codes.
step:
Operate the functions of password retrieval and verification code acquisition, and record the acquisition interface.
Frequently call the password retrieval and verification code interfaces to see if there is any interception to prevent text messages from being swiped.
Check the verification code interface to see if the verification code information can be intercepted through the interface.
The following Jingdong Express h5, SMS anti-swipe as shown in the figure:
4.6 Password Robustness Test Whether the password and verification code verification method is reliable, and whether it can be guessed by brute force until it hits.
step:
Login is the unified login passport of the access company, which can be ignored.
In the verification code scenario, use the packet capture tool to modify the password and verification code in the interface, and try to enter the wrong verification code multiple times.
4.7 Whether the storage of sensitive data in the data security detection system is safe.
step:
Check whether sensitive data is encrypted and stored, and check the corresponding database tables to prevent information leakage after the database is dragged.
Check whether sensitive data has been desensitized on the operation interface, such as: password display and hidden options, mobile phone number, ID number display, etc.
Check that the data settings are safe, check that the boundary values of the input design money are entered, whether the input meets and exceeds the maximum amount.
Regularly check whether sensitive data in the database has been desensitized:
4.8 Scenario modules designed related to payment: pay first, pay later, pay by Dada, negotiate and then invest.
step:
For example, when online payment, Dada payment, negotiation and re-investment are called at the cashier counter and WeChat payment, check the call of the payment interface.
Check whether the amount on the payment page is correct and whether there is a negative number.
Check the payment interface to see if the payment password information can be intercepted through the interface.
Author: Su Youpeng
程序员
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。