<>01 SQL Principle and utilization method of injection vulnerability
<>1.1 Web Application architecture analysis
1998 year so far 20 many years Yes
Burst sql injection cause Massive data leakage
discover problems —> avoid sql injection Bring risk
Research web frame can Make us More familiar Framework audit in Injected principle
B/S framework start When database And website On the same server upper
webapp website Put on In the container
Containers and databases Software Installed in In the operating system
Logical pair Operation of database To achieve Website function
after Internet technology development
Large amount of data Large number of requests need web Application to handle
Cluster effect
middleware container
<>03 XSS Vulnerability principle and utilization
<> Chapter I :XSS Basics
<>1.1 XSS Introduction and principle ~1
hit cookie xss + csrf getshell
Used to attack Use browser Open this Page user obtain cookie Normal user / administrators jurisdiction
Reflex type - Non storage type usually xss code Payload (js) adopt get A parameter afferent back-end Not after storage Direct reflection back User page (html) upper
Storage type payload Save On a medium ( database , cache , file ) user When viewing this page Exhibition page Fetch data Time implement
Similar to reflex type But the recipient No longer back-end program But js Get the parameters direct On page display
html Entity code majority Work White list publish an article Rich text Filter out js code perhaps Illegal attribute involved only div a p b label
exclude onError,onLoad Event properties only src blacklist May bypass xss Business scenario symptomatic reflex get input script Code block output
xss technological process payload structure verification repair xss Higher order New usage xss Persistence xss series
Technology
Daily Recommendation