Research On Penetration Technology Based On Web Attack

Penetration testing is a process that security personnel in order to eliminate system vulnerabilities and enhance system defense capability use a variety of ways to attack test target from the perspective of attackers,and give a detailed report in the end.It aims at finding vulnerabilities to enhance system defense capability,which is one of the common means for security workers to examine the safety of Web applications.Penetration testers may attempt to attack with various Web attack techniques during testing phase of a penetration testing.In recent years,as people paying more attention to the issues of Web security,CSRF(Cross-Site Request Forgery)attacks gradually come into people's perspectives,which is one of the Web attacks that attack users by forging users' requests.The present paper mainly studies router CSRF and multi-step CSRF based on single-step CSRF attacks,and analyzes and summarizes current CSRF defense methods.First of all,the paper expounds the background and significance of the research,summarizing oversea and domestic research status and expounding penetration testing processes and commonly testing techniques systematically.Then the main attacks faced by Web applications are listed and summarized systematically.The principle of CSRF attack is analyzed in detail,and the reasons why there is CSRF vulnerability are elaborated in terms of browser Same-Origin strategy,Cookie strategy,P3 P header strategy and Cross-site Resource sharing.Secondly,we compare the single-step CSRF attacks under the GET and POST methods.Then we put forward exploiting the vulnerabilities of router CSRF and multi-step CSRF and further explore the methods and ways of CSRF attacks.By building own experimental environment,realizing and verifying the above attacks.Finally,the paper analyzes and summarizes the current methods of CSRF attack defense,proposing improvement strategies to the way of adding Token variables,and comparing the experiment results.Finally,it verifies that the method used in this paper is more securer and reliable against CSRF attacks.