Web Application Vulnerablities
1、 File inclusion
berfoe start this caption i make a conclusion for install third-part as follow
I not include the sequence decoder and Comparer tabls in this blogs ,because i think their usage is very straightforward ,and in fact ,rarely usee them in career,so it's waste my time .if you want to add the functionality to scan for outdated javaScript libraries ,you can install the module Retire.js bisides it, WAF ,errors, java, Net,SQLi,XSS, and so on.for me usually used in my burpsuite. before install the BApp Store ,frist install Jyython (Jython is a library for java and Python ,and some apps use this library ,so it's a Prrequisite for apps to work )
if you can't install BApp in correct, you can restart application, use the command (you must use per version).
java -XX:MaxPermSize=1G -jar [ burp_file_name.jar]
File inclusion this Vulnerability can be exploited by including a file in the url ,the file that was included can be local to the server ,and thus be called Local File inclusion, or can point to remote a remote file, and thus called a Remote file inclusion . but at present the programming and web servers have buit-in mechanisms to protect against this flaw.in real life there is some developer forgets to include a validation on server side such these legacy programming languages JSP、ASP、PHP。
the Feist one is Local File Inclusion will allow direction traversal characters such as dot-dot-slash to be injection. such as: | http:///domain_name/index.php?file=hack.html
we can changer the hack file to another file on the web server system can checked: | http:///domain_name/index.php?file=../../../../ect/password
as follow picture screenshot

now we can change the page=

the second is Remote file Inclusion : a file path in the url taht points to the remote file outside the boundaries of the web server that hosts the web application
likes this : http://domain_name/index.php?file=http://hack_domain/malware.php as follow i changer the to my blog site

2、Cross-Site Scripting
it's means XSS as we usually said. is exploited when the attacker can successfully execute any type of script (for example, JavaScript) on the victim's browser. These types of flaws exist because the developer did not validate the request or correctly encoded the response of the application. JavaScript is not the only script language used for XSS but it is the most common (in fact it's my favorite); attackers sometimes use scripting languages such as VBScript, ActiveX, Flash, and many more.

Web Application Vulnerablities的更多相关文章
- Web Application Penetration Testing Local File Inclusion (LFI) Testing Techniques
Web Application Penetration Testing Local File Inclusion (LFI) Testing Techniques Jan 04, 2017, Vers ...
- 微软压力测试工具 web application stress
转自 http://www.cnblogs.com/tonykan/p/3514749.html lbimba 铜牌会员 这里给广大的煤油推荐一个web网站压力测试工具.它可以用来模拟多个用户操作网 ...
- 使用Microsoft Web Application Stress Tool对web进行压力测试
Web压力测试是目前比较流行的话题,利用Web压力测试可以有效地测试一些Web服务器的运行状态和响应时间等等,对于Web服务器的承受力测试是个非常好的手法.Web 压力测试通常是利用一些工具,例如微软 ...
- 实验环境里新创建成功的web application却在浏览器中返回404错误
刚刚翻笔记翻到一些刚学SharePoint时候解决的一些很2的初级问题,本来是有些挣扎该不该把它们记录到这个blog里的?因为担心这些很初级的文章会拉低这个blog的逼格,但是我的哥们善意的提醒了我一 ...
- SharePoint创建web application出现“The password supplied with the username was not correct”错误的解决方法
平台环境 Windows Server 2012 R2 Standard, SharePoint Server 2010, Microsoft SQL Server 2012 (SP1) 问题描述 在 ...
- SharePoint中新创建的Web Application在浏览器中报404错误
问题描述:在安装完成SharePoint 2010后,进入Central Administration,创建一个新的Web Application,可以正常创建,但访问时却返回404. 平台环境:Wi ...
- Intellij Idea中的Jetty报出Web application not found src/main/webapp错误的解决方案
今天在Intellij Idea中编译项目的时候,运行起来一直会报出如下的错误: Web application not found src/main/webapp 当时感觉应该是什么文件缺少了.所以 ...
- 如何Recycle一个SharePoint Web Application,以及为什么
当你发现SharePoint服务器的CPU或者内存使用率居高不下的时候,很多人都会选择iisreset来让资源使用率降下来.但是在企业环境中,这毫无疑问会使这台服务器中断服务从而影响到用户的使用,所以 ...
- You may receive an exception when you browse a .NET Framework 2.0 ASP.NET Web application
SYMPTOMS When you browse a Microsoft .NET Framework 2.0 ASP.NET Web application, you may receive one ...
随机推荐
- WEB通知和React Native之即时通讯(iOS Android)
WEB通知和React Native之即时通讯(iOS Android) 一,需求分析 1.1,允许服务器主动发送信息给客户端,客户端能监听到并且能接收. 1.2,为了方便同一个系统内的用户可以指定某 ...
- Lodop简短问答客户反馈篇 及排查步骤 及注册相关
A.http下打印图片正常,https下打印图片是××.(有的客户端可以,有的不可以)重置ie浏览器试试.客户反馈:(和ie浏览器的设置有关)intenet选项--高级里,我调整为和能打印出图片的电脑 ...
- Working with PDF files in C# using PdfBox and IKVM
I have found two primary libraries for programmatically manipulating PDF files; PdfBox and iText. T ...
- AtCoder Beginner Contest 122 D - We Like AGC(DP)
题目链接 思路自西瓜and大佬博客:https://www.cnblogs.com/henry-1202/p/10590327.html#_label3 数据范围小 可直接dp f[i][j][a][ ...
- [ZJOI2016]旅行者
题目描述 小Y来到了一个新的城市旅行.她发现了这个城市的布局是网格状的,也就是有n条从东到西的道路和m条从南到北的道路,这些道路两两相交形成n*m个路口 (i,j)(1<=i<=n,1&l ...
- Linux-Centos破解安装confluene6.3.1
Centos 安装企业wiki confluence是一个专业的企业知识管理与协同软件,可以用于构建企业wiki.通过它可以实现团队成员之间的协作和知识共享.现在大多数公司都会部署一套confluen ...
- Linux基本命令总结(九)
接上篇: 46,scp是secure copy的简写,用于在Linux下进行远程拷贝文件的命令,和它类似的命令有cp,不过cp只是在本机进行拷贝不能跨服务器,而且scp传输是加密的.可能会稍微影响一下 ...
- (转)Java8内存模型—永久代(PermGen)和元空间(Metaspace)
背景:介绍java8中永久代到元空间的转变. Java8内存模型—永久代(PermGen)和元空间(Metaspace) 一.JVM 内存模型 根据 JVM 规范,JVM 内存共分为虚拟机栈.堆.方法 ...
- [jzoj]4271. 【NOIP2015模拟10.27】魔法阵(37种转移的dp)
题意不说 应该这辈子都不会忘记了... 这是我人生中做的最SB的一道DP题. 真的打的我心态崩了.... 可是竟然被我调出来了..... 也是没谁了... 我们设\(F[i][j][S]\)表示到第\ ...
- I/O模型之三:两种高性能 I/O 设计模式 Reactor 和 Proactor
目录: <I/O模型之一:Unix的五种I/O模型> <I/O模型之二:Linux IO模式及 select.poll.epoll详解> <I/O模型之三:两种高性能 I ...