'7. Tips/Security'에 해당되는 글 3건
- 2014.06.17 WebScarab
- 2014.06.14 Check available HTTP methods
- 2014.06.14 CSRF - Cross Site Request Forgery
Prev
https://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols.
WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser.
It's very simple to check what kind of methods are available on target site using telnet.
This example assumes that you are using windows.
1. Run cmd.exe after typing Windows + R keys
2, Check if the telnet client is installed by typing 'telnet' as below.
If it's installed, following message will be shown
If not, install it first.
3. Enter following command:
telnet [server url or ip address] 80
4. Enter the following text after changing host info according to yours
OPTIONS / HTTP/1.1 Host: [server url or ip address] |
This example used the following text
OPTIONS / HTTP/1.1 Host: 192.168.0.6 |
After sending this text, the result will be shown as below:
For the HTTP 1.0, following text can be used as text
OPTIONS * HTTP/1.0 |
Note: Some famous sites such as naver and other portals was already prohibited to this kind of access.
But we can find out naver is using nginx as its HTTP server.
From Wikipedia
Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf[1]) or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.[2] Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser. |
To understand difference between XSS and CSRF, read the highlighted sentences with color.
Rss Feed