Iseva yeWebhu uhlelo olusetshenziselwa ukugcina, ukucubungula, nokuletha amawebhusayithi. Yenzelwe ukusingatha izinhlelo zokusebenza zewebhu, ivumela amaklayenti ukuthi afinyelele kulezo zinhlelo zokusebenza.
Isebenzisa ukwakhiwa kwemodeli yamakhasimende-kuseva, lapho inendima yeseva, futhi isiphequluli sinendima yeklayenti.
Amaseva wewebhu aqukethe:
Njenganoma yiluphi uhlelo lwekhompyutha, amaseva wewebhu nawo angathikamezeka. Abahlaseli basebenzisa amasu ahlukahlukene ukuqala ukuhlasela kumaseva we-web target futhi bathole ukufinyelela okungagunyaziwe.
Okunye ukuhlaselwa kufaka:
Ukuhlaselwa kwe-DoS / DDoS kungukuhlasela lapho umhlaseli ethumela khona inombolo enkulu yezicelo kwiseva yewebhu ekhonjiwe ukuvimbela iseva ukuthi isebenze kahle.
Ukuhlaselwa kokudunwa kwesiphakeli se-DNS ukuhlasela lapho umhlaseli akhomba khona iseva ye-DNS nokushisa ngamasethingi emephu akwenza kuqondise kabusha amaklayenti kuseva enamandla yomhlaseli osebenzela iwebhusayithi eyingozi yomhlaseli.
I-DNS Amplification Attack ukuhlasela lapho umhlaseli esebenzisa umbuzo ophindaphindwayo we-DNS ukuthumela inombolo enkulu yezicelo ngekheli le-IP lelitshe kwiseva ye-DNS okuyenza ukuthi iphendule ekhelini le-IP lelitshe futhi ngaleyo ndlela idlule isiphakeli selitshe.
Ukuhlaselwa kwe-Directory traversal ukuhlasela lapho umhlaseli esebenzisa i-URL eqondisiwe ukuthola ukufinyelela kuzinkomba ezikhawulelwe.
Ukuhlaselwa komuntu ophakathi nendawo ukuhlasela lapho umhlaseli ebamba khona ithrafikhi esuka kwiklayenti iye kuseva nasemuva. Benza lokho ngokukhohlisa iklayenti ukuthi licabange ukuthi umhlaseli ungummeleli. Lapho iklayenti selamukele uxhumano oluvela kumhlaseli, konke ukuxhumana phakathi kweklayenti neseva kudlula kumhlaseli, kubavumela ukuthi bantshontshe imininingwane.
Ukuhlasela ngobugebengu bokweba imininingwane ebucayi ukuhlasela lapho umhlaseli ethumela khona i-imeyili ilitshe ngezixhumanisi ezinonya. Lapho ilitshe selichofoza kusixhumanisi, liqondiswa kabusha kwiwebhusayithi enobungozi ebashukumisela ukuthi banikeze imininingwane ebucayi. Umhlaseli ube eseba lolu lwazi.
Ukuhlaselwa kwewebhusayithi kungukuhlaselwa lapho umhlaseli enza khona izinguquko kokuqukethwe kwewebhusayithi eqondisiwe.
Ukuhlaselwa kokulungiswa okungalungile kwesiphakeli seWebhu ukuhlasela lapho umhlaseli esebenzisa ubungozi ekungalungiselelweni kahle kweseva.
Ukuhlaselwa kwe-HTTP Response Splitting kungukuhlasela lapho umhlaseli afaka khona imigqa emisha yaba yizihloko zokuphendula, okwenza iseva ihlukanise impendulo eyodwa ibe kabili. Umhlaseli useyakwazi ukulawula impendulo yokuqala evela kuseva futhi aqondise iklayenti kuwebhusayithi enobungozi.
I-Web cache poisoning ukuhlaselwa lapho umhlaseli efaka khona okuqukethwe okulondoloziwe ngokufaka okunobungozi.
Ukuhlasela ngamandla kwe-SSH brute kungukuhlasela lapho umhlaseli ethola khona iziqinisekiso zokungena ngemvume kwe-SSH futhi adale imigudu ye-SSH phakathi kwababungazi ababili lapho abangadlulisa khona okuqukethwe okunonya.
Ukuhlaselwa kwephasiwedi ye-web server ukuhlasela lapho umhlaseli aqhekeza khona amaphasiwedi we-server eqondisiwe futhi awasebenzise ukwenza ukuhlasela okusha.
Ukuhlaselwa kohlelo lokusebenza lwewebhu ukuhlasela lapho umhlaseli esebenzisa ubungozi kukhodi yohlelo lokusebenza.
Indlela Yokugenca iWeb Server inikezela abahlaseli ngezinyathelo okufanele bazilandele ukuze benze ukuhlasela okuphumelelayo.
Lezi zinyathelo yilezi:
Ngesikhathi sesinyathelo sokuqoqa imininingwane, umhlaseli angazama ukuthola i-target's _ _ + _ | file, equkethe izinkomba namafayela afihliwe kubakhasi bewebhu. Leli fayela linganikeza umhlaseli imininingwane efana namaphasiwedi, ama-imeyili, nezixhumanisi ezifihliwe.
Ukwenza lezi zinyathelo ezingenhla futhi baphumelele ekugenceni, abahlaseli basebenzisa amathuluzi anjenge I-Metasploit futhi Wfetch .
IMetasploit iyipulatifomu yokuhlola ukungena ekuvumela ukuthi uthole, usebenzise, futhi uqinisekise ubungozi.
I-Wfetch iyithuluzi elibonisa isicelo nempendulo ukuze ukuxhumana kuqondakale kalula. Ingasetshenziselwa ukudala izicelo ze-HTTP ezivivinya ukusebenza kwamaWebhusayithi amasha noma amaWebhusayithi aqukethe izinto ezintsha, ezinjenge-Active Server Amakhasi (ASP) noma izivumelwano ezingenantambo.
Kunconywa ukuthi inethiwekhi yokubamba iwebhu inezingxenye ezintathu:
Iseva yewebhu kufanele ifakwe ku-DMZ ukuze ihlukaniswe kuzo zombili i-inthanethi kanye nenethiwekhi yangaphakathi. Ingxenye ngayinye kufanele ivikelwe nge-firewall futhi ibe nehabhu noma iswishi yayo.
Okunye ukuphikisana nokuqinisekisa ukuthi iseva ivuselelwa njalo, nokuthi kusetshenziswa amabala ezokuphepha nama-hotfix. Amachweba nezinqubo ezingasetshenziswanga kufanele zivinjelwe, kanye nawo wonke umgwaqo we-ICMP ongadingekile.
Amaphasiwedi azenzakalelayo nama-akhawunti azenzakalelayo angasetshenziswanga kufanele aguqulwe futhi akhutshazwe ngokulandelana.
Izingodo kufanele ziqashwe kaningi ukuqinisekisa ukuthi iseva ayonakalisiwe.
Izinguquko kumafayili asebenzayo futhi ajwayelekile zingatholwa ngokusebenzisa iskripthi seSistimu Yokuthola Ukushintshwa Kwewebhusayithi esenza ngezikhathi ezithile ukuqhathanisa kwamafayela ukuthola ukuthi ngabe kukhona yini okwenziwe kubo futhi kuphakamisa isexwayiso.