If you want to learn web security, how do you get started?
1、 Thinking before starting
1. Do I really like safety? 2. Do I want to make money through security? 3. I don't know what is casual? 4. Do you want to be safe all your life
Those who don't think clearly will be very harmful to your future development. Instead of blindly learning web security, it is better to make a long-term plan first. Otherwise, in my opinion, it is a waste of time.
1、 First, you need to understand the Web
Web is divided into several layers, one picture is worth a thousand words:
The fact is that it is impossible to do a good job in safety research if you do not know these research objects.
In this way, the Web has eight layers (nine if you include browsers! Each layer has dozens of mainstream components!!!) What should I do?
One method is universal, and this is the horizontal layer, and the vertical is the data flow! Get the data flow right: from the horizontal layer, from top to bottom, from bottom to top, carefully see how these data are processed in each layer.
2、 Zero foundation web security learning plan
2.1 HTTP protocol request (TIME: one week)
Learn about the following knowledge points Learn the http protocol Request http status code post/get difference
You can use F12 in Chrome browser to view the HTTP request response in the "Network" tag to understand the HTTP protocol request
2.2. Dangerous HTTP header parameters (TIME: one week)
When making HTTP requests, you need to know some necessary parameters. These parameters can also cause serious security problems as follows:
useragent X-Forwarded-ForRefererclienipCookie
2.3 Technical terms (TIME: one day)
Understand the meaning of the following terms
Webshell kitchen knife 0daySQL injection upload vulnerability XSSCSRF one sentence trojan
[I] All resources pay attention to me, and private letters reply to "information" to obtain [I] 1. Cyber security learning routes 2. E-books (white hats) 3. Internal videos of security factories 4. 100 src documents 5. Common security interview questions 6. Analysis of classic topics of ctf contest 7. Complete toolkit 8. Emergency response notes
2.4 Use of professional hacker tools (TIME: 10 days)
Be familiar with how to use security tools for penetration testing. Mastering these tools can greatly improve your efficiency in your work.
sqlmap Burpsuite nmap w3af nessus Appscan AWVS
4. Introduction to scripting language+code audit (TIME: 10 days)
It is recommended that PHP should not be too smart. We are not engaged in development. We should understand the basic syntax and some dangerous functions, such as open exec, what loopholes will be caused by these functions. We can draw inferences from one instance and apply them to other scripts. The dangerous functions of asp, aspx, java and other languages may only be written in different ways and have the same functions, After understanding these, we can do some code audit of web vulnerabilities
PHP Beginner Learn PHP Code Audit
5. Sql injection (TIME: 3 days)
**Use the most effective method to inject the recommended injection tool sqlmap first. How to use sqlmap**
If you don't want to stay at the level of using tools, you need to learn about databases. MySQL sqlserver can learn selsct at any early stage. PHP tries to write a script to query the database to understand the principle of manual sql injection. This will make rapid progress. If you want to go deeper, you can review all kinds of database injection. Technical points to be mastered:
1. Digital injection 2. Character injection 3. Search injection 4. Blind injection (sleep injection) 5. Use of sqlmap 6. Wide byte injection MySQL introduction Sqlmap sleep principle Blind injection sleep function executes sql injection attack
6. CSRF cross site request (TIME: 3 days)
Why does it cause the difference between csrf, GET type and POST type CSRF, and how to prevent csrf by using token?
7. XSS (TIME: 7 days)
To study xss, first understand the homology strategy. Javascript should also learn about the 10 or hexadecimal encoding of html entities and html entities, as well as the 8 and 16 hexadecimal encoding of javascript,
Xss base coding homology strategy
8. File upload vulnerability (TIME: 7 days)
Learn about the loopholes in the open source editor upload, and how to bypass the system detection and upload
9 php remote/local file inclusion (TIME: 10 days)
Learn how the php functions include() include() require() requireonce() fopen() readfile() generate file inclusion vulnerabilities, and the difference between local and remote inclusion. And some techniques when using file inclusion, such as truncation/pseudo url/ultra long character truncation.
10 php command execution (TIME: 3 days)
Common code execution functions in PHP code include:
Eval(), assert(), preplace(), calluserfunc(), calluserfuncarray(), createfunction(), arraymap(), etc. Understand the function of these functions and figure out how to cause code execution vulnerabilities.
12 ssrf (TIME: 3 days)
1 Understand the principle of ssrf and the hazards of ssrf. What can 2ssrf do.
When we conduct web penetration, we cannot access the target's internal network, so we use the ssrf vulnerability. The following information can be obtained by using the web site with ssrf on the external network.
1. You can scan the ports of the external network, the intranet where the server is located, and the local to obtain some service banner information;
2. Attack applications running on the intranet or locally (such as overflow);
3. Fingerprint identification of intranet web applications is realized by accessing default files;
4. Attacks on intranet and extranet web applications are mainly attacks that can be realized by using the get parameter (such as struts 2, sqli, etc.);
5. Use the file protocol to read local files.
13 Logic vulnerability (TIME: 7 days)
Common logic vulnerabilities generally occur in the following places
1. The subscription amount is arbitrarily modified - shopping stations often appear 2. The verification code is returned 3. The main reason is that the ID parameter is not cookie verified. 4. There are design defects in the retrieved password 5. Unlimited enumeration of interfaces
14 xee (XML external entity injection) (TIME: 5 days)
When xml is allowed to introduce external entities, the construction of malicious content can lead to file reading, command execution, intranet detection and other hazards
15 XPath injection (TIME: 5 days)
The path injection attack is essentially similar to the SQL injection attack, which is to enter some malicious query and other code strings to attack the website
16 Server parsing vulnerability
Iis parsing vulnerability nginx parsing vulnerability tomcat background upload vulnerability jboss upload vulnerability
If you have mastered almost all the above vulnerability principles, you can go to work and practice
#Bonus item - penetration information collection (TIME: 15 days)#
Sub domain name collection uses DNS domain name transmission vulnerability to collect secondary domain names
The Linux test command is as follows:
Dns server 1.1.1.1 Test domain name //wooyun.orgdig @1.1.1.1 //sechook.org axfrnmap --script dns-zone-transfer --script-args dns-zone-transfer.domain= //wooyun.org -p 53-Pn 1.1.1
Instance Query Suning DNS Server
D: Deep>nslookup Default server: localhostAddress: 10.11.0.1>set type=ns> //suning.com Server: localhostAddress: 10.11.0.1 Non authoritative answer: //suning.com nameserver = //lns1.zdnscloud.info//suning.com nameserver = //gns2.zdnscloud.net.cn//suning.com nameserver = lns2.zdnscloud. biz//suning.com nameserver = //gns1.zdnscloud.net >
Query Suning IP
C:Usersjack>nslookup //suning.com Server: localhostAddress: 10.11.0.1 Non authoritative answer: Name: //suning.xdwscache.ourwebcdn.comAddresses:203.130.60.48// Corresponding ip 203.130.60.49/corresponding ip 203.130.60.50/corresponding ipAliases: //suning.com//Suning.com.wscdns.com //Alias
Online secondary domain name explosion website
//dnsdumpster.com/Netcraft - Search Web by Domain
The tool obtains the secondary domain name
Commonly used online tool in penetration testing -- SecWiki topic reference link subDomainsBrutewydomain theHarvester.py FierceDigknockdnsspiderSubDomainscorectSubBrutedirfuzz
Use format:
fierce -dns //baidu.com -threads 3 subDomainsBrute.py //suning.com python theHarvester.py -d //suning.com -L 500-b baidu - v many python theHarvester.py - d company name found by Baidu in China - l 500-b baidu - v python theHarvester.py - d //suning.com -L 500-b google - v foreign station google multi python theHarvester.py - d school - l 1000-b all use all search engines to search
SubDomainsBrute requires dependency support
Error message: ImportError: No module named dns.resolver The library to be installed is dnspython pip install dnspython. If there is no pip, it can be used //github.com/rthalley/dnspython.git Download cd dnspython python setup.py install
New experience of search engine Google:
+List the words that Google may ignore, such as the query range - ignore a word~agree with the word. A single wildcard * wildcard can represent multiple letters "" for accurate query
Code Managed Disclosure Information Search
Google:
//andy-game.googlecode.com/svn-history/Gitbub: //github.com/search?utf8=%E2%9C%93&q=%E5%A4%96%E7%BD%91 +%E8%B1%86%E7%93%A3&type=Code&ref=searchresults
Mailbox collection
Metasploit Email Collection Link //xiao106347.blog.163.com/blog/static/215992078201311300162776/
IP anti query domain name
//dns.aizhan.com/58.240.86.229/
Second level brother domain name collection
Query the mail server information, collect the target IP address range, and use the code hosting website to collect the target information
Determine IP address range
Social engineering of scanning c segment to obtain cdn real ip address
3、 Organize notes
I think this is the most important. This is a good habit that allows us to summarize and consolidate the technology we have learned. In the process of summing up, they formed their own understanding and innovation of technology. So that the knowledge on the book can become your own.
If you think about learning according to my plan, I can't guarantee how awesome you are, but it's absolutely no problem to find a job.
