security business holes

Posted by tzul at 2020-04-10


Thinking about, thinking of his official account now.

Write it, write a previous summary.

{original intention}

A long time ago, one month, we preliminarily completed the summary of security loopholes in operation and maintenance;

Later, there was a shortage of ideas in actual combat, and it happened to be a summary of the mining of business security vulnerabilities.

This article is mainly to continuously record, summarize and practice business-related vulnerabilities (logic vulnerabilities),

It can change the thoughtless embarrassment during penetration test and public test when the scanner is forbidden to be used.


There are too many holes in business security to talk about, but few can. Since it is not long since the beginning of business security, the perspective, vision and accumulation are far from enough, so we have to share the previous "business logic test evaluation" in the form of prezi. I have to lament that the way of digging holes is very wonderful. Coupled with the display of "ppt" killers, it's even more dazzling.

<1> Mining method

1) Browse the web page to view the business process

As we all know, the first step of infiltration is information collection. In fact, the first step of digging logical loopholes is the same. Lean on the soft chair, listen to the rhythm you like, hold the mouse and swipe back and forth on the target system, the system functions come into view.

2) Think big and look for controllable links

Speaking of this, it's more experience. It's also a pleasure to stroll around the dark cloud mirror station and forum and pick up some loopholes. If you see too much, you will have an impression in your mind. You will want to dig a hole and dig a hole. Accumulation is on the one hand, thinking and summing up and thinking divergence is another more interesting thing, inadvertently the posture of others has become a unique way of their own characteristics.

3) Analyze and trigger hidden logic problems

The beauty of logical loopholes lies in their concealment. Personal feeling can dig holes that others can't find. It's the crystallization of brain and hands-on wisdom. Big guy may know at a glance that there may be some security holes in this scenario. Grab a package and think about it carefully to know the context of the parameter and which parameter is the most important. Logic loopholes are based on ideas > > > tools. No wonder someone will say that I have burp in the world. Sometimes a powerful customized dictionary is also needed, but the dictionary is not only the common name dictionary, mobile phone number dictionary, password dictionary


This part of the content will be scattered, because it's lazy, and I want to use prezi to share training exchanges with customers before. On the one hand, the mining method of logic loopholes has been described above. On the other hand, we want to let you feel the power and beauty of prezi.

{follow up}

I know that there are many tycoons and hole diggers looking at it. I'm sure there are many ideas and thoughts. Welcome to leave a message and exchange.