Hacking Book | Free Online Hacking Learning


account logic vulnerability

Posted by verstraete at 2020-03-25

Registration scenario

Batch registration

Any account registration

Wash number

Registration coverage

The lower version of MySQL can be replicated

Account a: Zhangsan

Account B: Zhangsan (n spaces after Zhang San)

Login scenario

brute force

Malicious locking

Session security issues

Cookie counterfeit

Login questions

Unencrypted login transfer request

Password recovery scenario

4 steps to retrieve the password normally:

a.输入用户信息 b.用户凭证校验 c.重置密码 d.重置成功

Brute force cracking of authentication certificate

In the second step of user certificate verification, because the certificate is too simple (4 digits) or has a long expiration time and does not expire, the attacker can brutally crack the certificate.

Common tools: burpsuite intruder

Voucher return error

The return of the voucher in the header and body of the response results in that the voucher can be obtained directly.

Certificate is not bound to user information

In the second step of voucher verification, because the voucher is not bound with the user's mobile phone or mailbox, the user a can be verified with the user B's voucher, resulting in the password being reset maliciously.

Mailbox weak token

It often appears in the password retrieval of mailbox, and token generation methods are as follows:

Cookie coverage

用A用户的账号重置到第三步,不要关闭页面; 在同一个浏览器中新开一个页面,用B用户的账号重置到第二步,不要关闭页面; 刷新第一个页面(也就是A用户的重置页面),这个时候就可以重置B用户的密码了;

Front end check

Recover step context beyond authority

Universal check code

Ultra vires visit

Horizontal ultra vires

Vertical ultra vires

Bomb attack

The locations where bomb attacks usually occur are as follows: (welcome to add)