52 行
1.3 KiB
Markdown
52 行
1.3 KiB
Markdown
# 授权验证样例
|
|
|
|
> `LAB ONLY` | `AUTHORIZED TARGETS ONLY`
|
|
|
|
以下命令仅用于自有资产、测试环境或已明确授权的目标。
|
|
|
|
## HTTP 注入最小化验证
|
|
|
|
```bash
|
|
python3 /Users/x/websafe/01-sql-injection/tools/sqli-scanner.py \
|
|
-u "https://owned-lab.example.test/search?id=1"
|
|
```
|
|
|
|
## XSS 上下文与回显验证
|
|
|
|
```bash
|
|
python3 /Users/x/websafe/02-xss/tools/xss-fuzzer.py \
|
|
-u "https://owned-lab.example.test/search?q=test"
|
|
```
|
|
|
|
## TLS 与头部检查
|
|
|
|
```bash
|
|
python3 /Users/x/websafe/04-server-security/tls/tools/tls-scanner.py \
|
|
-u https://owned-lab.example.test
|
|
```
|
|
|
|
## 最小端口暴露验证
|
|
|
|
```bash
|
|
python3 /Users/x/websafe/04-server-security/scanning/tools/port-scanner.py \
|
|
-H owned-lab.example.test --top-ports 20
|
|
```
|
|
|
|
## 同 IP / 同证书关联分析
|
|
|
|
```bash
|
|
python3 /Users/x/websafe/04-server-security/infrastructure/tools/site-scope-mapper.py \
|
|
--target owned-lab.example.test --ack-authorized
|
|
```
|
|
|
|
## 手工检查 CSP / 响应头
|
|
|
|
```bash
|
|
curl -I https://owned-lab.example.test
|
|
```
|
|
|
|
## 记录要求
|
|
|
|
- 每次公网验证都应回填 [测试记录模板](/Users/x/websafe/09-scope-and-targeting/test-record-template.md)
|
|
- 每个目标都应登记在 [资产清单模板](/Users/x/websafe/09-scope-and-targeting/asset-inventory-template.md)
|