- The Guide to Finding and Reporting Web Vulnerabilities
- About the Author
- About the Tech Reviewer
- Foreword
- Introduction
- Who This Book Is For
- What Is In This Book
- Happy Hacking!
- 1 Picking a Bug Bounty Program
- 2 Sustaining Your Success
- 3 How the Internet Works
- 4 Environmental Setup and Traffic Interception
- 5 Web Hacking Reconnaissance
- 6 Cross-Site Scripting
- 7 Open Redirects
- 8 Clickjacking
- 9 Cross-Site Request Forgery
- 10 Insecure Direct Object References
- 11 SQL Injection
- 12 Race Conditions
- 13 Server-Side Request Forgery
- 14 Insecure Deserialization
- 15 XML External Entity
- 16 Template Injection
- 17 Application Logic Errors and Broken Access Control
- 18 Remote Code Execution
- 19 Same-Origin Policy Vulnerabilities
- 20 Single-Sign-On Security Issues
- 21 Information Disclosure
- 22 Conducting Code Reviews
- 23 Hacking Android Apps
- 24 API Hacking
- 25 Automatic Vulnerability Discovery Using Fuzzers
The Client-Server Model
The internet is composed of two kind of devices: clients and servers. Clients request resources or services, and servers provide those resources and services. When you visit a website with your browser, it acts as a client and requests a web page from a web server. The web server will then send your browser the web page ( Figure 3-1 ).
互联网由两种设备组成:客户端和服务器。客户端请求资源或服务,而服务器提供这些资源和服务。当您使用浏览器访问网站时,浏览器充当客户端并从 Web 服务器请求网页。Web 服务器将随后将网页发送给您的浏览器(图 3-1)。
Figure 3-1 : Internet clients request resources from servers.
图 3-1:互联网客户端从服务器请求资源。
A web page is nothing more than a collection of resources or files sent by the web server. For example, at the very least, the server will send your browser a text file written in Hypertext Markup Language ( HTML) , the language that tells your browser what to display. Most web pages also include Cascading Style Sheets (CSS ) files to make them pretty. Sometimes web pages also contain JavaScript ( JS) files, which enable sites to animate the web page and react to user input without going through the server. For example, JavaScript can resize images as users scroll through the page and validate a user input on the client side before sending it to the server. Finally, your browser might receive embedded resources, such as images and videos. Your browser will combine these resources to display the web page you see.
网页不过是由服务器发送的一组资源或文件的集合。比如说,服务器至少会发送一个用超文本标记语言(HTML)编写的文本文件,这种语言可以告诉浏览器该如何显示内容。大多数网页也会包含层叠样式表(CSS)文件,以使页面看起来更漂亮。有时候网页还会包含 JavaScript(JS)文件,使得网站可以在不经过服务器的情况下为网页增加动画效果以及响应用户的输入。比如说,JavaScript 可以在用户滚动页面时调整图像大小,在信息发送到服务器之前在客户端验证用户输入等。最后,您的浏览器可能会接收到嵌入的资源,如图像和视频。您的浏览器会将这些资源组合在一起展示您所看到的网页。
Servers don’t just return web pages to the user, either. Web APIs enable applications to request the data of other systems. This enables applications to interact with each other and share data and resources in a controlled way. For example, Twitter’s APIs allow other websites to send requests to Twitter’s servers to retrieve data such as lists of public tweets and their authors. APIs power many internet functionalities beyond this, and we’ll revisit them, along with their security issues, in Chapter 24 .
服务器不仅向用户返回 web 页面。Web API 使得应用程序可以请求其他系统的数据。这使得应用程序可以相互交互,并以有控制的方式共享数据和资源。例如,Twitter 的 API 允许其他网站向 Twitter 的服务器发送请求以检索数据,例如公共推文和其作者的列表。 API 驱动了许多互联网功能,我们将在第 24 章中重新访问它们及其安全问题。
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论