Security Testing 简明教程
Security Testing - Hacking Web Applications
我们可以将各种方法论/方法用作执行攻击的参考。
There are various methodologies/approaches which we can make use of as a reference for performing an attack.
Web Application - PenTesting Methodologies
在制定攻击模型时可以考虑以下标准。
One can take into account the following standards while developing an attack model.
在以下列表中,OWASP 最为活跃,并且有许多贡献者。我们将重点关注 OWASP 技术,它在设计 Web 应用程序之前由每个开发团队考虑在内。
Among the following list, OWASP is the most active and there are a number of contributors. We will focus on OWASP Techniques which each development team takes into consideration before designing a web app.
OWASP Top 10
The Open Web Application Security Protocol team released the top 10 vulnerabilities that are more prevalent in web in the recent years. Below is the list of security flaws that are more prevalent in a web based application.
Application - Hands On
In order to understand each one of the techniques, let us work with a sample application. We will perform the attack on 'WebGoat', the J2EE application which is developed explicitly with security flaws for learning purposes.
The complete details about the webgoat project can be located https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project. To Download the WebGoat Application, Navigate to https://github.com/WebGoat/WebGoat/wiki/Installation-(WebGoat-6.0) and goto downloads section.
To install the downloaded application, first ensure that you do not have any application running on Port 8080. It can be installed just using a single command - java -jar WebGoat-6.0.1-war-exec.jar. For more details, visit WebGoat Installation
Post Installation, we should be able to access the application by navigating to http://localhost:8080/WebGoat/attack and the page would be displayed as shown below.
We can use the credentials of guest or admin as displayed in the login page.
Web Proxy
In order to intercept the traffic between client (Browser) and Server (System where Webgoat Application is hosted in our case), we need to use a web proxy. We will use Burp Proxy that can be downloaded from https://portswigger.net/burp/download.html
It is sufficient if you download the free version of burp suite as shown below.
Configuring Burp Suite
Burp Suite 是一个 Web 代理,可以截取浏览器和 Web 服务器发送和接收的每个信息包。这有助于我们在客户端向 Web 服务器发送信息之前修改内容。
Burp Suite is a web proxy which can intercept each packet of information sent and received by the browser and webserver. This helps us to modify the contents before the client sends the information to the Web-Server.
Step 1 − 应用程序已安装在端口 8080 上,Burp 已安装在端口 8181 上,如下图所示。启动 Burp 套件并进行以下设置,以便在端口 8181 上启用它,如下所示。
Step 1 − The App is installed on port 8080 and Burp is installed on port 8181 as shown below. Launch Burp suite and make the following settings in order to bring it up in port 8181 as shown below.
Step 2 − 我们应确保 Burp 正在侦听应用程序安装所在的端口 8080,以便 Burp 套件可以截获流量。应在 Burp 套件的范围选项卡上进行此设置,如下所示。
Step 2 − We should ensure that the Burp is listening to Port#8080 where the application is installed so that Burp suite can intercept the traffic. This settings should be done on the scope tab of the Burp Suite as shown below.
Step 3 − 然后将浏览器的代理设置设为侦听端口 8181(Burp 套件端口)。因此,我们已配置 Web 代理来截获客户端(浏览器)与服务器(Web 服务器)之间的流量,如下所示 −
Step 3 − Then make your browser proxy settings to listen to the port 8181 (Burp Suite port). Thus we have configured the Web proxy to intercept the traffic between the client (browser) and the server (Webserver) as shown below −
Step 4 − 配置的快照如下图所示,并附有简单的工作流图表
Step 4 − The snapshot of the configuration is shown below with a help of a simple workflow diagram as shown below
