Registration scenario
Batch registration
- Mobile wall human operation;
- Script batch registration;
- Simulator registration;
Any account registration
- The user information is not bound to the verification voucher;
- Do not check the user information (only need to receive the mobile phone number or email to register successfully);
Wash number
- By judging whether the user has registered the interface, we can filter out the effective users from the mass users;
Registration coverage
The lower version of MySQL can be replicated
Account a: Zhangsan
Account B: Zhangsan (n spaces after Zhang San)
Login scenario
brute force
- Arbitrary blasting without any safety protection measures;
- Existence of verification code: verification code logic vulnerability;
Malicious locking
- When the number of account login errors reaches the limit, you are not allowed to log in when the account is locked for n hours;
Session security issues
- Session session fixation: each login is the same session;
- Session session logoff: do not logoff the user's session when the user exits;
- Session time-out: session survival time is too long;
Cookie counterfeit
- The cookie structure is too simple and easy to be guessed, which leads to the malicious construction of users. This attack requires that the backend does not record the validity of user cookies;
Login questions
- Washing number: filter out effective users from a large number of users by judging whether the account has an interface or by prompting information;
Unencrypted login transfer request
- Network monitoring and hijacking
Password recovery scenario
4 steps to retrieve the password normally:
a.输入用户信息
b.用户凭证校验
c.重置密码
d.重置成功
Brute force cracking of authentication certificate
In the second step of user certificate verification, because the certificate is too simple (4 digits) or has a long expiration time and does not expire, the attacker can brutally crack the certificate.
Common tools: burpsuite intruder
Voucher return error
The return of the voucher in the header and body of the response results in that the voucher can be obtained directly.
Certificate is not bound to user information
In the second step of voucher verification, because the voucher is not bound with the user's mobile phone or mailbox, the user a can be verified with the user B's voucher, resulting in the password being reset maliciously.
Mailbox weak token
It often appears in the password retrieval of mailbox, and token generation methods are as follows:
- UNIX timestamp
- User name, user name + other information
- Common encoding or encryption: MD5, Base64, etc
Cookie coverage
用A用户的账号重置到第三步,不要关闭页面;
在同一个浏览器中新开一个页面,用B用户的账号重置到第二步,不要关闭页面;
刷新第一个页面(也就是A用户的重置页面),这个时候就可以重置B用户的密码了;
Front end check
- In the second step, the voucher verification code is written by the front-end JS or other languages, and the verification result is controllable.
Recover step context beyond authority
- Context exceeding authority means that the process of user certificate verification is bypassed by jumping from the first step to the third step directly.
Universal check code
- Universal verification code: 000000 / 666666 / 888888
Ultra vires visit
Horizontal ultra vires
- Access other people's information or resources with their own identity between the same roles;
Vertical ultra vires
- Access information or resources that cannot be accessed by different roles;
Bomb attack
The locations where bomb attacks usually occur are as follows: (welcome to add)
- Registered users
- Activate user
- Password recovery sending voucher
- Place for secondary authentication such as payment type authentication