zoukankan      html  css  js  c++  java
  • Penetration Test

    Application Exploits, Part II

    AUTHENTICATION EXPLOITS
    • Credential brute forcing
      • Offline cracking(Hydra)
    • Session hijacking
      • Intercepting and using a session token(generally) to take over a valid distributed (web) session
    • Redirect
      • Sending the user to a different site from what they expected (phishing)
    • Default credentials
      • Out of the box artifacts (you have to clean these up!)
    • Weak credentials
      • This is why password cracking works
    • Kerberos exploits
      • Forged tickets to allow unauthorized access to resources
    AUTHORIZATION
    • Parameter pollution
      • Providing custom input parameters to alter service/API operation
    • Insecure direct object reference
      • Programming mistake that can allow an attacker to bypass access controls and access resources or data
    QUICK REVIEW
    • Authentication attacks include credential brute forcing, session hijacking, redirecting, and forged Kerberos tickets
    • If you can acquire valid authentication credentials, you have access to lots of data
    • Authorization attacks include parameter pollution and insecure direct object reference
    相信未来 - 该面对的绝不逃避,该执著的永不怨悔,该舍弃的不再留念,该珍惜的好好把握。
  • 相关阅读:
    SQL Server创建索引的技巧分析
    SQL Server创建索引
    kmp算法的应用
    相交环的面积
    Rebranding
    Olympiad
    找新朋友
    卡特兰数
    越狱
    Wolf and Rabbit
  • 原文地址:https://www.cnblogs.com/keepmoving1113/p/13760430.html
Copyright © 2011-2022 走看看