Ukugenca Amaseva Wewebhu - Ukubuka konke

Iseva yeWebhu uhlelo olusetshenziselwa ukugcina, ukucubungula, nokuletha amawebhusayithi. Yenzelwe ukusingatha izinhlelo zokusebenza zewebhu, ivumela amaklayenti ukuthi afinyelele kulezo zinhlelo zokusebenza.

Isebenzisa ukwakhiwa kwemodeli yamakhasimende-kuseva, lapho inendima yeseva, futhi isiphequluli sinendima yeklayenti.

Amaseva wewebhu aqukethe:


  • Impande yedokhumenti - ifolda egcina amafayela we-HTML wewebhusayithi
  • Impande yeseva - ifolda egcina ukumiswa, ukungena, namafayela asebenzayo
  • Isihlahla sedokhumenti esibonakalayo - uhlobo lwesitoreji esitholakala kudiski ehlukile futhi olusetshenziswe lapho idiski yoqobo igcwele
  • Ukusingathwa okubonakalayo - ukusingathwa kwesizinda esingaphezu kwesisodwa kuseva eyodwa
  • Ummeleli Wewebhu - iseva ebekwe phakathi kweklayenti neseva, okusho ukuthi zonke izicelo ezivela kwiklayenti zidlula ummeleli oya kuseva, esikhundleni sokuya ngqo kuseva


Izinsongo Zokuhlaselwa Kweseva Yewebhu

Njenganoma yiluphi uhlelo lwekhompyutha, amaseva wewebhu nawo angathikamezeka. Abahlaseli basebenzisa amasu ahlukahlukene ukuqala ukuhlasela kumaseva we-web target futhi bathole ukufinyelela okungagunyaziwe.

Okunye ukuhlaselwa kufaka:


Ukuhlaselwa kwe-DoS / DDoS

Ukuhlaselwa kwe-DoS / DDoS kungukuhlasela lapho umhlaseli ethumela khona inombolo enkulu yezicelo kwiseva yewebhu ekhonjiwe ukuvimbela iseva ukuthi isebenze kahle.

Ukudunwa kwe-DNS Server

Ukuhlaselwa kokudunwa kwesiphakeli se-DNS ukuhlasela lapho umhlaseli akhomba khona iseva ye-DNS nokushisa ngamasethingi emephu akwenza kuqondise kabusha amaklayenti kuseva enamandla yomhlaseli osebenzela iwebhusayithi eyingozi yomhlaseli.

Ukuhlaselwa Kokuncishiswa Kwe-DNS

I-DNS Amplification Attack ukuhlasela lapho umhlaseli esebenzisa umbuzo ophindaphindwayo we-DNS ukuthumela inombolo enkulu yezicelo ngekheli le-IP lelitshe kwiseva ye-DNS okuyenza ukuthi iphendule ekhelini le-IP lelitshe futhi ngaleyo ndlela idlule isiphakeli selitshe.

Directory Ukuhlaselwa Traversal

Ukuhlaselwa kwe-Directory traversal ukuhlasela lapho umhlaseli esebenzisa i-URL eqondisiwe ukuthola ukufinyelela kuzinkomba ezikhawulelwe.


Ukuhlaselwa kweMITM

Ukuhlaselwa komuntu ophakathi nendawo ukuhlasela lapho umhlaseli ebamba khona ithrafikhi esuka kwiklayenti iye kuseva nasemuva. Benza lokho ngokukhohlisa iklayenti ukuthi licabange ukuthi umhlaseli ungummeleli. Lapho iklayenti selamukele uxhumano oluvela kumhlaseli, konke ukuxhumana phakathi kweklayenti neseva kudlula kumhlaseli, kubavumela ukuthi bantshontshe imininingwane.

Ukuhlasela kobugebengu bokweba imininingwane ebucayi

Ukuhlasela ngobugebengu bokweba imininingwane ebucayi ukuhlasela lapho umhlaseli ethumela khona i-imeyili ilitshe ngezixhumanisi ezinonya. Lapho ilitshe selichofoza kusixhumanisi, liqondiswa kabusha kwiwebhusayithi enobungozi ebashukumisela ukuthi banikeze imininingwane ebucayi. Umhlaseli ube eseba lolu lwazi.

Ukuchithwa Kwewebhusayithi

Ukuhlaselwa kwewebhusayithi kungukuhlaselwa lapho umhlaseli enza khona izinguquko kokuqukethwe kwewebhusayithi eqondisiwe.

Ukulungiswa okungalungile kwe-Web Server

Ukuhlaselwa kokulungiswa okungalungile kwesiphakeli seWebhu ukuhlasela lapho umhlaseli esebenzisa ubungozi ekungalungiselelweni kahle kweseva.


Ukuhlaselwa Kwempendulo Ye-HTTP

Ukuhlaselwa kwe-HTTP Response Splitting kungukuhlasela lapho umhlaseli afaka khona imigqa emisha yaba yizihloko zokuphendula, okwenza iseva ihlukanise impendulo eyodwa ibe kabili. Umhlaseli useyakwazi ukulawula impendulo yokuqala evela kuseva futhi aqondise iklayenti kuwebhusayithi enobungozi.

Ubuthi benqolobane yewebhu

I-Web cache poisoning ukuhlaselwa lapho umhlaseli efaka khona okuqukethwe okulondoloziwe ngokufaka okunobungozi.

Ukuhlaselwa Kwe-SSH Brute Force

Ukuhlasela ngamandla kwe-SSH brute kungukuhlasela lapho umhlaseli ethola khona iziqinisekiso zokungena ngemvume kwe-SSH futhi adale imigudu ye-SSH phakathi kwababungazi ababili lapho abangadlulisa khona okuqukethwe okunonya.

I-Web Server Password Cracking Attacks

Ukuhlaselwa kwephasiwedi ye-web server ukuhlasela lapho umhlaseli aqhekeza khona amaphasiwedi we-server eqondisiwe futhi awasebenzise ukwenza ukuhlasela okusha.


Ukuhlaselwa Kwesicelo Sewebhu

Ukuhlaselwa kohlelo lokusebenza lwewebhu ukuhlasela lapho umhlaseli esebenzisa ubungozi kukhodi yohlelo lokusebenza.



Indlela Yokugenca

Indlela Yokugenca iWeb Server inikezela abahlaseli ngezinyathelo okufanele bazilandele ukuze benze ukuhlasela okuphumelelayo.

Lezi zinyathelo yilezi:

  • Qoqa imininingwane mayelana neseva ye-web target
  • Funda ngamakhono wokufinyelela kude wesiphakeli, amachweba, nezinsizakalo
  • Mirror iwebhusayithi ekhonjiwe ukuze uyibhekabheke ungaxhunyiwe ku-inthanethi
  • Thola ukuba sengozini
  • Yenza ukuhlaselwa kweseshini kanye nokuhlaselwa kwephasiwedi

Ngesikhathi sesinyathelo sokuqoqa imininingwane, umhlaseli angazama ukuthola i-target's _ _ + _ | file, equkethe izinkomba namafayela afihliwe kubakhasi bewebhu. Leli fayela linganikeza umhlaseli imininingwane efana namaphasiwedi, ama-imeyili, nezixhumanisi ezifihliwe.


Ukwenza lezi zinyathelo ezingenhla futhi baphumelele ekugenceni, abahlaseli basebenzisa amathuluzi anjenge I-Metasploit futhi Wfetch .

IMetasploit iyipulatifomu yokuhlola ukungena ekuvumela ukuthi uthole, usebenzise, ​​futhi uqinisekise ubungozi.

I-Wfetch iyithuluzi elibonisa isicelo nempendulo ukuze ukuxhumana kuqondakale kalula. Ingasetshenziselwa ukudala izicelo ze-HTTP ezivivinya ukusebenza kwamaWebhusayithi amasha noma amaWebhusayithi aqukethe izinto ezintsha, ezinjenge-Active Server Amakhasi (ASP) noma izivumelwano ezingenantambo.



I-Web Server Attacks Countermeasures

Kunconywa ukuthi inethiwekhi yokubamba iwebhu inezingxenye ezintathu:

  • I-inthanethi
  • DMZ
  • Inethiwekhi yangaphakathi

Iseva yewebhu kufanele ifakwe ku-DMZ ukuze ihlukaniswe kuzo zombili i-inthanethi kanye nenethiwekhi yangaphakathi. Ingxenye ngayinye kufanele ivikelwe nge-firewall futhi ibe nehabhu noma iswishi yayo.

Okunye ukuphikisana nokuqinisekisa ukuthi iseva ivuselelwa njalo, nokuthi kusetshenziswa amabala ezokuphepha nama-hotfix. Amachweba nezinqubo ezingasetshenziswanga kufanele zivinjelwe, kanye nawo wonke umgwaqo we-ICMP ongadingekile.

Amaphasiwedi azenzakalelayo nama-akhawunti azenzakalelayo angasetshenziswanga kufanele aguqulwe futhi akhutshazwe ngokulandelana.

Izingodo kufanele ziqashwe kaningi ukuqinisekisa ukuthi iseva ayonakalisiwe.

Izinguquko kumafayili asebenzayo futhi ajwayelekile zingatholwa ngokusebenzisa iskripthi seSistimu Yokuthola Ukushintshwa Kwewebhusayithi esenza ngezikhathi ezithile ukuqhathanisa kwamafayela ukuthola ukuthi ngabe kukhona yini okwenziwe kubo futhi kuphakamisa isexwayiso.