Application Security Per-Engagement
1、 an SQLi vulnerability will allow you to do the following
- query the database using select statement forezample users table. you might get the password or usersname
- Bypass the login page executing successfuly query results
- Execute system commands in the database in oreder compromise the web server
- Execute inserts.delete commands to manipulate the records in the database
2、Command Injection
we can append other commands after the variable and the application will be to execute it for us , my goal is to make the backend execute someting like this [nslookup [domain name variable ] && [other command ]
3、OWASP top 10
Injection-----> when a attacker can inject and execute a custom command in the backend because of missing sanitization,besides it ,command Injection are more like LDAP、XPath、NoSQLo XML Parsers、STMTP Header
Broken Authentication ------> a hacker finds the user's idntity, credentials bouth name and password or web session
Sesitive Data 、 XML External Entities \ Broken Access Control \ Security Misconfig \Cross-site Scripting \ Insecure Deserialization \ Using Components with know vulnerability\ Insufficient logging
4、邮件信息收集
theharverster -d [目标网络域名地址] -l [邮件地址数量] -b [使用的搜索的公共知识库] eg : theharvester -d yalong.cn -l 20 -b baidu
5、 use Whois search DNS and ip register name and phone number and email
step one we can use the Whois.net the url: http:www.whois.net or another website is NetCraft the url :https://www.netcraft.com/
step two: use the command whois ,the screenshout as follow
another wegit tools is host it can translate ip to hostname
nslookup id find DNS
Application Security Per-Engagement的更多相关文章
- 安装数据库Mocrosoft.NET Application Security警告
在安装sqlserver 2012的时候,出现了Mocrosoft.NET Application Security警告,这个时候可以检查是否联网,如果没有联网请连接上,然后重新检查就不再警告了.如果 ...
- IOS Application Security Testing Cheat Sheet
IOS Application Security Testing Cheat Sheet [hide] 1 DRAFT CHEAT SHEET - WORK IN PROGRESS 2 Int ...
- Web Application Security(Web应用安全)
Web Application Security 1.web应用面临的主要安全问题 1)黑客入侵:撞库拖库.网页篡改.后门木马.加密勒索.数据泄露 2)恶意内容 2.web应用安全现状 1)网站安全问 ...
- iOS Application Security
文章分A,B,C,D 4个部分. A) iOS Application Security 下面介绍iOS应用安全,如何分析和动态修改app. 1)iOS Application security Pa ...
- Spring Security(三十七):Part IV. Web Application Security
Most Spring Security users will be using the framework in applications which make user of HTTP and t ...
- Network Security Services If you want to add support for SSL, S/MIME, or other Internet security standards to your application, you can use Network Security Services (NSS) to implement all your securi
Network Security Services | MDN https://developer.mozilla.org/zh-CN/docs/NSS 网络安全服务 (NSS) 是一组旨在支持支持安 ...
- ModSecurity web application firewall (WAF) Research
catalog . 引言 . OWASP ModSecurity Core Rule Set (CRS) Project . Installation mod_security for Apache ...
- Page Security
参见开发文档 Overview This document describes how to build applications that grant selected access to indi ...
- Linux LSM(Linux Security Modules) Hook Technology
目录 . 引言 . Linux Security Module Framework Introduction . LSM Sourcecode Analysis . LSMs Hook Engine: ...
随机推荐
- [转帖]golang操作mysql使用总结
golang操作mysql使用总结 https://www.cnblogs.com/hanyouchun/ 讲解的很详细~ 前言 Golang 提供了database/sql包用于对SQL数据库的访问 ...
- 怎么使Richedit中光标始终指到最后一行的最后面?
Richedit中数据会不断增加.要始终能看到当前的数据.该怎么做? SendMessage(Memo->Handle, WM_VSCROLL, SB_BOTTOM, 0); SendMessa ...
- pycharm设置主题
步骤很简单: 1.下载皮肤主题(jar) 去 http://www.themesmap.com/ 选择自己喜欢的主题下载 2.导入皮肤主题 导入方法:file–>Import Setting–& ...
- python之异常处理和re模块补充
一.re模块的补充 1.从一个字符串中获取要匹配的内容 findall:返回一个列表 2.search ***** 验证用户输入内容 '^正则规则$':返回一个对象,用group()取值 3.matc ...
- 【BZOJ5491】[HNOI2019]多边形(模拟,组合计数)
[HNOI2019]多边形(模拟,组合计数) 题面 洛谷 题解 突然特别想骂人,本来我考场现切了的,结果WA了几个点,刚刚拿代码一看有个地方忘记取模了. 首先发现终止态一定是所有点都向\(n\)连边( ...
- NEED TO DO
任务清单 计算几何 KDtree 容斥 后缀自动机套数据结构 FFT 四边形不等式/决策单调性优化 欧拉路 KM算法 BM算法 数论 min25筛 后缀数组 吉司机线段树 生成函数 ...
- pycharm pip安装包
第一种方式为命令行模式,在pycharm界面按alt+F12调出命令行窗口,在窗口内输入pip install matplotlib回车即可,如图1所示 方法二:使用菜单项File——settings ...
- 打怪升级之路—Security+认证通关攻略(401还是501)
我花了一个月才把题目过完一遍的(这一个月都上班,下班抽空做几页),这里面走了很多弯路,我把备考过程整理出来希望对大家有帮助. 我是在2019年1月完成的Security+考试,离安全牛课堂直播培训结束 ...
- codeforces-1138 (div2)
想法题是硬伤,面对卡题和卡bug的情况应对能力太差 A.求两个前缀和以及两个后缀和,相邻最小值的最大值. #include<iostream> using namespace std; ; ...
- Linux grep \t Tab 键失效
解决方法 1.'$' 有一个日志文件, 比如说有两列, 中间使用 \t制表符分割了. 则在grep查找的时候 使用: '$'\t''\+ 代替我们的\t制表符 - 2.-P grep -P '\ ...