tag nrho nkag mus rau hauv lub zos network, yog hais tias downgrading los ntawm daim ntawv thov theem mus rau theem thauj yog ua tau thiab, raws li, tag nrho cov load tswj ntawm daim ntawv thov theem;
Vim li cas thiaj sim nyiag kev sib tham (tshwj xeeb txij li tam sim no HTTP-Tsuas ncuav qab zib tsuas yog nyob txhua qhov chaw, tiv thaiv los ntawm tub sab siv js scripts), yog tias cov ntawv rub tawm tuaj yeem nkag mus rau API cov peev txheej tam sim? Nyob rau hauv rooj plaub no, lub payload tuaj yeem siv XHR thov los hloov cov server configuration, piv txwv li, ntxiv tus neeg tua neeg tus yuam sij SSH thiab tau txais SSH nkag mus rau lub server.
Yog tias CSP txoj cai (txoj cai tiv thaiv cov ntsiab lus) txwv JavaScript los ntawm kev txhaj tshuaj, tus neeg tawm tsam tuaj yeem tau txais yam tsis muaj nws. Siv cov HTML ntshiab, tsim ib daim foos nkag mus rau lub xaib thiab nyiag tus thawj coj tus password los ntawm qhov siab tshaj phishing: nplooj ntawv phishing rau tus neeg siv xaus rau ntawm tib URL, thiab nws nyuaj rau tus neeg siv los kuaj xyuas nws.
Thaum kawg, tus neeg tawm tsam tuaj yeem npaj Client DoS - teem ncuav qab zib loj dua 4 KB. Tus neeg siv tsuas yog yuav tsum qhib qhov txuas ib zaug, thiab tag nrho lub xaib yuav nkag mus tsis tau txog thaum tus neeg siv xav tias yuav tsum ntxuav qhov browser tshwj xeeb: feem ntau, lub vev xaib server yuav tsis kam txais cov neeg siv khoom zoo li no.
Cia peb saib ib qho piv txwv ntawm lwm qhov kuaj pom XSS, lub sijhawm no nrog kev siv dag zog ntau dua. Qhov kev pabcuam MCS tso cai rau koj los sib txuas cov teeb tsa firewall rau hauv pawg. Lub npe pab pawg nyob qhov twg XSS tau kuaj pom. Nws peculiarity yog tias vector tsis tau tshwm sim tam sim ntawd, tsis yog thaum saib cov npe ntawm cov cai, tab sis thaum tshem tawm ib pab pawg:
Ntawd yog, qhov xwm txheej tau dhau los ua cov hauv qab no: tus neeg tawm tsam tsim txoj cai firewall nrog "load" hauv lub npe, tus thawj coj ceeb toom nws tom qab ib ntus thiab pib cov txheej txheem tshem tawm. Thiab qhov no yog qhov uas JS siab phem ua haujlwm.
Tsis muaj zog tiam algorithm, piv txwv li lub peev xwm los kwv yees tus lej tom ntej.
Cov laj thawj tsis raug, xws li muaj peev xwm thov lwm tus OTP ntawm koj lub xov tooj, zoo li qhov no yog los ntawm Shopify.
Nyob rau hauv rooj plaub ntawm MCS, 2FA yog siv raws li Google Authenticator thiab Duo. Cov txheej txheem nws tus kheej twb tau sim lub sijhawm, tab sis kev siv cov lej pov thawj ntawm daim ntawv thov sab yog tsim nyog kuaj xyuas.
MCS 2FA siv ntau qhov chaw:
Thaum authenticating tus neeg siv. Muaj kev tiv thaiv brute quab yuam: tus neeg siv tsuas muaj ob peb sim nkag mus rau ib zaug ib lo lus zais, ces cov tswv yim raug thaiv ib ntus. Qhov no thaiv qhov muaj peev xwm ntawm brute-force xaiv ntawm OTP.
Thaum tsim cov lej thaub qab offline los ua 2FA, nrog rau kev kaw nws. Ntawm no, tsis muaj kev tiv thaiv brute quab yuam tau siv, uas ua rau nws ua tau, yog tias koj muaj lo lus zais rau tus account thiab kev sib tham ua haujlwm, kom rov tsim cov lej thaub qab lossis lov tes taw 2FA tag nrho.
Xav txog tias cov lej thaub qab tau nyob rau hauv tib qhov ntau ntawm cov txiaj ntsig zoo li cov uas tau tsim los ntawm OTP daim ntawv thov, lub caij nyoog ntawm kev nrhiav cov lej hauv lub sijhawm luv luv yog ntau dua.
Cov txheej txheem ntawm kev xaiv OTP kom lov tes taw 2FA siv lub cuab yeej "Burp: Intruder".
tshwm sim
Zuag qhia tag nrho, MCS zoo li muaj kev nyab xeeb raws li cov khoom lag luam. Thaum lub sijhawm kuaj xyuas, pab pawg pentesting tsis tuaj yeem nkag mus rau cov neeg siv khoom VMs thiab lawv cov ntaub ntawv, thiab cov teeb meem pom tau raug kho sai los ntawm pab pawg MCS.
Tab sis ntawm no nws yog ib qho tseem ceeb kom nco ntsoov tias kev ruaj ntseg yog kev ua haujlwm tas mus li. Cov kev pabcuam tsis zoo li qub, lawv hloov mus tas li. Thiab nws yog tsis yooj yim sua los tsim ib yam khoom kiag li tsis muaj vulnerabilities. Tab sis koj tuaj yeem nrhiav tau lawv nyob rau lub sijhawm thiab txo qhov kev pheej hmoo ntawm lawv rov tshwm sim.
Tam sim no tag nrho cov teeb meem tau hais hauv MCS twb tau kho lawm. Thiab txhawm rau kom tus naj npawb ntawm cov tshiab kom tsawg thiab txo lawv lub neej, pab pawg platform txuas ntxiv ua qhov no:
tsis tu ncua ua kev tshuaj xyuas los ntawm cov tuam txhab sab nraud;