Covering the scene:
SQL injection from GET, POST, Header, JSON, Multipart and other parameters
Other types of SQL injection, such as secondary injection, RPC interface SQL injection
Coverage type:
Blind injection, UNION injection, time difference injection, error injection, multi-statement injection
SQL exception monitoring: such as syntax errors, password errors
Explanation: When obtaining data in SQL, it is more difficult to obtain SQL statements at the same time. At present, this detection point has been abandoned. In addition, we cannot distinguish between network time and SQL execution time, and it is difficult to confirm whether slow queries are really slow queries. This feature was moved to APM module
Expect to cover the scene
SELECT statement takes longer than N seconds
SELECT statement reads more than N data at a time (easy to false positive, such as data export)
Overlay scene
Upload script files by HTTP PUT, such as CVE-2017-12615
HTTP PUT + MOVE method, upload ordinary file first, and then rename it to script file
Upload script files using standard multipart
Supports Java struts, spring, common.io and other frameworks
Support PHP$_FILES
way
Support .NET
Overlay scene
Using any file download vulnerability, try to jump out of the web directory to download system files, eg/download.jsp?path=/../././//./.././/../../etc/hosts
Sensitive files such as .tar / .sql / .log / ... exist under PHP webroot (only baseline detection, no interception)
Executable files (Linux, Windows or Mac)
Overlay scene
Using PHP WebShell to view the file directory of the server
Enableddirectory index
so that users can directly see files in a directory (this check is not enabled by default)
Use../
won other variations out of the current directory, view other contents of the directory
Enable directoryBrowse enabled="true" in Web.Config (.NET)
Explanation: In most cases, the discovery of scanner behavior does not indicate a vulnerability. This feature is not in line with the original intention of RASP, so we turn off this feature by default., but you can configure to enable it
Overlay scene
Use well-known scanners to detect website vulnerabilities, such as SQLMap, WVS, and more
Description
IAST is able to detect CSRF. Even RASP can protect from CRSF, such vulnerabilities should be completed by the development framework. RASP can be implemented by inserting JS, that is, monitoring form creation in JS, inserting csrf token, and performing token verification on the server.
Overlay scene
Useimg/video/frame/..
, etc., trigger type GET CSRF
Form automatic submission
XHR submission form
Overlay scene
Modify cookies to gain administrator rights
Explanation: Most of the HTTP header CRLF injection vulnerabilities have been fixed at the API level; however, it still exists in some non-HTTP protocols, such as the recently released Java/Scala/Kotlin/Clojure FTP protocol CRLF injection.
Overlay scene
When setting the HTTP header or processing other TCP streams (such as the FTP protocol), insert newlines
Explanation: PHP cannot hook xml detection points, it is only supported in JAVA/Scala/Kotlin/Clojure, Node.js and .NET
Overlay scene
Byorg.apache.xerces
reference to an external entity
Accessftp/dict/gopher/expect/..
and other less common protocol to implement OOB attack
Usefile
protocol to read sensitive documents
Overlay scene
Java/Scala/Kotlin/Clojure
fastjson
transformer
xstream (such as S2-052)
... (Other unknown types, see the detection plugin command_reflect algorithm for details)
PHP
To be sorted
.NET
Not vulnerable
Overlay scene
Struts OGNL Series All Code Execution Vulnerability
OGNL statement injection attack
Overlay scene
Accessing the database using SQL Manager
Download sensitive files using file manager
Use a Chinese kitchen knife to execute commands
... Other unknown types, see the detection plugin webshell_reflect algorithm for details)
Overlay scene
UseRuntime.exec()
the class command execution
Usesystem/passthru/shell_exec/proc_open/pcntl_exec/..
other functions execute command
Execute commands through deserialization, etc.
Overlay scene
Use&
,|
,;
and other symbols cut, splice command
$(xxx)
Inject commands using, backticks, etc.
Syntax error during command injection attack
Overlay scene
Output GPC directly using PHP echo function
User input content with HTML tags and output directly to the page
Overlay scene
Backstage Blind
Overlay scene
Modify LDAP query logic by injection
Overlay scene
Common Regex DoS attacks, eg(a+)+
,(a|aa)+
Overlay scene
Use log4j, java.util.logging or Log4Net to print sensitive information such as ID cards, bank cards, credit cards, etc.
HTTP response (html / json / xml / etc.) returned uncoded sensitive information
Overlay scene
PHP useinclude|include_once|require|require_once
and other ways, including log, pictures, text files, etc.
Java uses jstl to include files
ASP/ASP.NET include
Overwrite scene (Windows only)
MySQL DNS way off
Use302 redirection
file/smb/scp
leak NTLM key
Overlay scene
Bypass
Use10.10.10.10.xip.io / *.vcap.me
and other network resources within a known domain names
Use 302 redirection to access resources in the file: /// domain
Try to obfuscate the destination address of the visit, and it is the internal IP, eghttp://0x7f001
, http://0x7f.0x0.0x0.0x1
Access reserved address, eghttp://0/
Common scenarios
Try to access aws metadata, eghttp://169.254.169.254/latest/meta-data/
Try to access a known echo service, eg*.burpcollaborator.net
, requestb.in
Try to usegopher://
,dict
etc. uncommon protocols
(Java) Use JSTL import to access intranet resources
Overlay scene
Collect composer / pom / Web.Config information
Using a 3rd-party library with known vulnerabilities
Overlay scene
Background explosion without verification code
COPYRIGHT (C) 2014-2022 SECURITY REVIEWER SRL. ALL RIGHTS RESERVED.