Common vulnerabilities for web servers
The purpose of this article is to introduce you to the common vulnerabilities of the web server. I believe that this article I can try to find some web server vulnerabilities. But need to remember, don't look for a loophole for a vulnerability. In addition, even if you find a vulnerability, is it possible to use or another?
The main vulnerabilities exist of the web server include physical path leaks, CGI source code leaks, directory traversal, execution arbitrary commands, buffers overflow, denial, condition competition, and cross-station script execution vulnerabilities, and CGI vulnerabilities are somewhat similar, but more The place is still different. However, no matter what vulnerability, it reflects that safety is a whole truth, considering the security of the web server, the operating system that cooperates with it must be considered.
Below I will start to introduce these vulnerabilities, in order to be more easy to understand, I will attach a few links when introducing each vulnerability, and you can get more details of the web server that exists in the same vulnerability.
[Physical path leak] Physical path leaks are generally due to the WEB server processing user request error, such as by submitting a long request, or a well-constructed special request, or request a web server does not exist. file. These requests have a common feature, that is, the requested file is definitely a CGI script, not a static HTML page. There is also a situation that is the physical path of the Web server's output of the web server, which should be a design problem. Some related links: http://security.nsfocus.com/showquery.asp?bugid=2008 http://online.securityfocus.com/bid/1531 [CGI source code leak] CGI source code leakage reasons, For example, special requests, encoding decodes, additional special characters, or careful constructs, can cause CGI source code leakage. Here are some examples of request: http://www.host.com/index.jsp http://www.host.com/index.jsphttp://www.host.com/index.jsP http: // Www.host.com/index.jsp http://www.host.com/index.jsp%9ttp://www.host.com/index.jsp http://www.host.com/ Index.jsp% 2e http://www.host.com/index.jsp/ http://www.host.com/index.jsp? http://www.host.com/index.jsp\ Http://www.host.com/index.jsp