The website vulnerability repair service provider analyzes the ultra vires caused by controllable parameters

There are ultra vires loopholes in the website , First, let's talk about what are the key controllable parameters , That is to say, some of our key parameters , for example use ID order by ID Just some key parameters , It must be such a tester of yours , It can be controlled . If this parameter has been hijacked , Or he has a fixed value . At this time, it is not called a controllable parameter . The key is that your changes must be able to cause this ultra vires effect, which is called the key parameter . We must quickly locate this key controllable parameter , We can find the corresponding ultra vires vulnerability more quickly .

What is the meaning of the principle of adhering to the same change and control of parameters later , Because we may have multiple variables in a request message , Or in the case of multiple parameters . We usually consider changing a parameter first , Other parameters are unchanged . Take a look at the change of the response information . Then if the situation you want does not appear , You can consider changing another variable , Just change two variables , Then until all variables are changed , Or delete some variables , This is called our principle of simultaneous change and control .

It can be seen here that other variables are controlled unchanged , Change key variables or change at the same time , Maybe after listening to me, you may think these are conceptual , You may feel confused , Then let's take a look at examples to explain . Before looking at the examples, I almost forgot to mention how to find this key variable , But let's take a look at such a parameter . First of all, the first one , I classify it as user identity ID, Its main network gives users a unique identity , Through this identification, you can determine the user's , For example, your mobile number 、 ID number , Or your ID number , user ID Are these all unique , Because you think about a website , The user name you registered will not be repeated , Because it writes to the database , It will definitely teach you whether this user exists , If any , Don't you continue to register , So the user ID It is also their only parameter to identify his identity , This is used to identify the user identity of our user in the website , It's called user identity .

The second one is called user attributes ID, User properties ID That is, the attribute generated by users when using the website ID, For example, when he placed an order , Will it cause this order number , Or when it opens the personal Center , Is it possible to modify some of its data , There may be changes in the values of some parameters . What other address ID. Record No ID. These can be understood as such a mature person in his identity ID, Or its properties , For example, can we think about human attributes , You can go running , You can sing , You can go swimming . This is our human attribute , User attributes here ID That is, according to a certain kind of operation we are carrying out , And produce this attribute aid Let's be clear .

Let's take a look , Horizontal ultra vires are based on identity ID etc. . See this example , We can see , In this case , We see this key parameter , It's this get The way ,get In this way, we will focus on the goal or the center of gravity URL, Because we all know that the parameter value is placed in this URL Up there , And we post The method is put in the request body , We must distinguish this point . We see that there are only two parameters , How can we determine which is the key parameter , We can make it semantic , Most programmers write code , All follow the concept of semantic , Because many programmers only think about how to implement functions when writing code and ignore the security vulnerabilities , Therefore, we suggest that if the website has ultra vires and other vulnerabilities, we can let the website vulnerability repair service provider SINE Safety to check .