0x02 安全漏洞检测

Review

  1. 2020/03/31
  2. 2023/08/05
  3. 2024/03/01
  4. 2024-09-29 06:45

[!Summary]

一、Introduction #

目标功能:

  1. 智能扫描器(自动生成XSS攻击载荷漏洞检测)
  2. 浏览器兼容测试
  3. 代码库漏洞检测
  4. 照片、文件检测
  5. 敏感词检测

漏洞简介:

  1. XSS漏洞(Cross site scripting)()
  2. SQL注入(SQL Injection)
  3. WebShell攻击
  4. 内网渗透

反射型XSS定义是:如果URL地址当中的恶意参数会直接被输出到页面中,导致攻击代码被触发,便称之为反射型XSS

存储型XSS,顾名思义便是恶意参数被存储起来了

漏洞扫描检测工具 #

  1. Retire.js 基于规则进行代码审计,故要经常根据最新漏洞来更新规则。
  2. burp  https://portswigger.net/burp 付费
  3. OWASP_ZED https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project [FREE]
  4. https://github.com/zaproxy/zaproxy
  5. tensorflow.js toxicity model 检测暴力词汇(模型存储于Google,怎样能下载下来?)
  6. Burp/AWVS/Appscan
  7. SQLmap
  8. 后台扫描器(havij、御剑、burp)进行探测
  9. Arachni(Web Application Security Scanner Framework) https://github.com/Arachni/arachni 
  10. Tsunami is a general purpose network security scanner with an extensible plugin system for detecting high severity vulnerabilities with high confidence. https://github.com/google/tsunami-security-scanner 
  11. Scanners-Box(A powerful and open-source toolkit for hackers and security automation) https://github.com/We5ter/Scanners-Box 
  12. dirsearch(Web path scanner) https://github.com/maurosoria/dirsearch

Reference #

  1. 2019年Github上开源的安全渗透攻击类工具集合
  2. https://www.briggsby.com/auditing-javascript-for-seo
  3. https://www.briggsby.com/dealing-with-javascript-for-seo
  4. https://owasp.org/www-community/Source_Code_Analysis_Tools
  5. NodeJS Security Best Practices https://dev.to/mohammadfaisal/nodejs-security-best-practices-34ck