WEB应用安全解决方案测试验证
WEB应用安全解决方案测试报告
--- By jiang.jx at 2017-08-11
WEB应用安全解决方案.docx
链接:https://share.weiyun.com/068b05467040d4d2a479f46e7a23c614 密码:sa4bwk
拓扑环境:
测试步骤:
启动测试环境的虚拟机实例
LLB负载均衡功能测试 |
|
步骤 |
操作 |
验证NSVPX-91上LLB负载均衡配置是否正确 =================================================== > show lb vserver lb_vsrv_llb lb_vsrv_llb (0.0.0.0:0) - ANY Type: ADDRESS State: UP Last state change was at Wed Feb 28 13:53:13 2018 Time since last state change: 0 days, 00:21:39.620 Effective State: UP Client Idle Timeout: 120 sec Down state flush: ENABLED Disable Primary Vserver On Down : DISABLED Appflow logging: ENABLED No. of Bound Services : 3 (Total) 2 (Active) Configured Method: ROUNDROBIN BackupMethod: NONE Mode: IP Persistence: DESTIP Persistence Mask: 255.255.255.255 Persistence v6MaskLength: 128 Persistence Timeout: 2 min Connection Failover: DISABLED L2Conn: OFF Skip Persistency: None Listen Policy: NONE IcmpResponse: PASSIVE RHIstate: PASSIVE New Service Startup Request Rate: 0 PER_SECOND, Increment Interval: 0 Mac mode Retain Vlan: DISABLED DBS_LB: DISABLED Process Local: DISABLED Traffic Domain: 0 TROFS Persistence honored: ENABLED Retain Connections on Cluster: NO 1) svc_isp_outside_vmnat_one (192.168.195.2: 0) - ANY State: UP Weight: 1 2) svc_isp_outside_vmbridge_one (192.168.1.1: 0) - ANY State: DOWN Weight: 1 3) svc_isp_outside_vmbridge_two (10.0.100.1: 0) - ANY State: UP Weight: 1 Done > show lb route Network Netmask Traffic Domain VIP Flags ------- ------- -------------- --- ----- 1) 0.0.0.0 0.0.0.0 0 lb_vsrv_llb UP Done =================================================== |
|
在Win2008R2AD这台机器上,对www.bing.com域名对应的主机进行tracert.exe操作,查看链路走向: =================================================== PS C:\Users\adpadmin> TRACERT.EXE www.bing.com 通过最多 30 个跃点跟踪 到 cn-0001.cn-msedge.net [202.89.233.101] 的路由: 1 <1 毫秒 <1 毫秒 <1 毫秒 192.168.185.91 2 1 ms <1 毫秒 1 ms OPENWRT [10.0.100.1] 3 4 ms 5 ms 6 ms 163.125.48.1 4 7 ms 6 ms 8 ms 120.80.165.233 5 7 ms * * 221.4.0.125 6 * * * 请求超时。 7 * * * 请求超时。 8 40 ms 40 ms 39 ms 123.126.8.250 9 * * * 请求超时。 10 41 ms 42 ms 43 ms 61.148.60.134 11 * * * 请求超时。 12 * * * 请求超时。 13 * * * 请求超时。 14 * * * 请求超时。 15 40 ms 40 ms 41 ms 202.89.233.101 跟踪完成。 =================================================== 在NSVPX-91上禁用10.0.100.1/24这条链路: =================================================== > disable service svc_isp_outside_vmbridge_two Done > show lb vserver lb_vsrv_llb lb_vsrv_llb (0.0.0.0:0) - ANY Type: ADDRESS State: UP Last state change was at Wed Feb 28 13:53:39 2018 Time since last state change: 0 days, 00:43:44.400 Effective State: UP Client Idle Timeout: 120 sec Down state flush: ENABLED Disable Primary Vserver On Down : DISABLED Appflow logging: ENABLED No. of Bound Services : 3 (Total) 1 (Active) Configured Method: ROUNDROBIN BackupMethod: NONE Mode: IP Persistence: DESTIP Persistence Mask: 255.255.255.255 Persistence v6MaskLength: 128 Persistence Timeout: 2 min Connection Failover: DISABLED L2Conn: OFF Skip Persistency: None Listen Policy: NONE IcmpResponse: PASSIVE RHIstate: PASSIVE New Service Startup Request Rate: 0 PER_SECOND, Increment Interval: 0 Mac mode Retain Vlan: DISABLED DBS_LB: DISABLED Process Local: DISABLED Traffic Domain: 0 TROFS Persistence honored: ENABLED Retain Connections on Cluster: NO 1) svc_isp_outside_vmnat_one (192.168.195.2: 0) - ANY State: UP Weight: 1 2) svc_isp_outside_vmbridge_one (192.168.1.1: 0) - ANY State: DOWN Weight: 1 3) svc_isp_outside_vmbridge_two (10.0.100.1: 0) - ANY State: OUT OF SERVICE Weight: 1 Done =================================================== 在Win2008R2AD这台机器上,对www.bing.com域名对应的主机进行tracert.exe操作,查看链路走向: =================================================== PS C:\Users\adpadmin> TRACERT.EXE www.bing.com 通过最多 30 个跃点跟踪 到 cn-0001.cn-msedge.net [202.89.233.100] 的路由: 1 <1 毫秒 <1 毫秒 <1 毫秒 192.168.185.91 2 <1 毫秒 <1 毫秒 <1 毫秒 192.168.195.2 3 * * * 请求超时。 4 * * * 请求超时。 5 * * * 请求超时。 6 * * * 请求超时。 7 * * * 请求超时。 8 * * * 请求超时。 9 * * * 请求超时。 10 * * * 请求超时。 11 * * * 请求超时。 12 * * * 请求超时。 13 * * * 请求超时。 14 * * * 请求超时。 15 * * * 请求超时。 16 42 ms 153 ms 42 ms 202.89.233.100 跟踪完成。 =================================================== 在NSVPX-91上恢复10.0.100.1/24这条链路: =================================================== > enable service svc_isp_outside_vmbridge_two Done > show lb vserver lb_vsrv_llb lb_vsrv_llb (0.0.0.0:0) - ANY Type: ADDRESS State: UP Last state change was at Wed Feb 28 13:54:09 2018 Time since last state change: 0 days, 00:51:41.140 Effective State: UP Client Idle Timeout: 120 sec Down state flush: ENABLED Disable Primary Vserver On Down : DISABLED Appflow logging: ENABLED No. of Bound Services : 3 (Total) 2 (Active) Configured Method: ROUNDROBIN BackupMethod: NONE Mode: IP Persistence: DESTIP Persistence Mask: 255.255.255.255 Persistence v6MaskLength: 128 Persistence Timeout: 2 min Connection Failover: DISABLED L2Conn: OFF Skip Persistency: None Listen Policy: NONE IcmpResponse: PASSIVE RHIstate: PASSIVE New Service Startup Request Rate: 0 PER_SECOND, Increment Interval: 0 Mac mode Retain Vlan: DISABLED DBS_LB: DISABLED Process Local: DISABLED Traffic Domain: 0 TROFS Persistence honored: ENABLED Retain Connections on Cluster: NO 1) svc_isp_outside_vmnat_one (192.168.195.2: 0) - ANY State: UP Weight: 1 2) svc_isp_outside_vmbridge_one (192.168.1.1: 0) - ANY State: DOWN Weight: 1 3) svc_isp_outside_vmbridge_two (10.0.100.1: 0) - ANY State: UP Weight: 1 Done =================================================== 在Win2008R2AD这台机器上,对www.bing.com域名对应的主机进行tracert.exe操作,查看链路走向: =================================================== PS C:\Users\adpadmin> TRACERT.EXE www.bing.com 通过最多 30 个跃点跟踪 到 cn-0001.cn-msedge.net [202.89.233.101] 的路由: 1 <1 毫秒 <1 毫秒 <1 毫秒 192.168.185.91 2 1 ms 1 ms 1 ms OPENWRT [10.0.100.1] 3 22 ms 47 ms 3 ms 163.125.48.1 4 6 ms 7 ms 7 ms 120.80.165.233 5 * 9 ms * 221.4.0.125 6 46 ms 42 ms 44 ms 219.158.15.37 7 * * * 请求超时。 8 41 ms 40 ms 40 ms 123.126.8.250 9 * * * 请求超时。 10 40 ms 40 ms 41 ms 61.148.60.134 11 * * * 请求超时。 12 * * * 请求超时。 13 * * * 请求超时。 14 * * * 请求超时。 15 40 ms 40 ms 42 ms 202.89.233.101 跟踪完成。 =================================================== 结论:可以NSVPX-91虚拟机实例的系统可以自动切换链路,始终保持数据包在正常链路上进行通信,避开失效的链路。 |
|
验证结束 |
统一网关功能测试 |
|
步骤 |
操作 |
在NSVPX-91上验证UG是否配置正确: =================================================== > show cs vserver myUnifiedGateway myUnifiedGateway (10.0.100.111:443) - SSL Type: CONTENT State: UP Last state change was at Wed Feb 28 13:54:36 2018 Time since last state change: 0 days, 01:31:49.120 Client Idle Timeout: 180 sec Down state flush: ENABLED Disable Primary Vserver On Down : DISABLED Appflow logging: ENABLED State Update: DISABLED Default: Content Precedence: RULE Vserver IP and Port insertion: OFF L2Conn: OFF Case Sensitivity: ON Authentication: OFF 401 Based Authentication: OFF Push: DISABLED Push VServer: Push Label Rule: none Listen Policy: NONE IcmpResponse: PASSIVE RHIstate: PASSIVE Traffic Domain: 0 1) AppFlow Policy Name: _vpn_myUnifiedGateway_Transparent_apfw_pol Priority: 255 GotoPriority Expression: END 1) Content-Switching Policy: UG_CSPOL_myUnifiedGateway Priority: 63000 Hits: 24 Done > show vpn vserver UG_VPN_myUnifiedGateway UG_VPN_myUnifiedGateway (0.0.0.0:0) - SSL Type: CONTENT State: UP ARP:DISABLED Down state flush: ENABLED Loginonce: ON Disable Primary Vserver On Down : DISABLED HTTP profile name: nshttp_default_strict_validation Appflow logging: ENABLED Authentication : ON Device Certificate Check: OFF CGInfra Homepage Redirect : ENABLED Current AAA Sessions: 0 Total Connected Users: 0 Icaonlylicense : OFF IcaProxySessionMigration : OFF DoubleHop : DISABLED Dtls : ON L2Conn: OFF Max Login Attempts: 0 Failed Login Timeout 0 Fully qualified domain name: UG_VPN_myUnifiedGateway Listen Policy: NONE IcmpResponse: PASSIVE RHIstate: PASSIVE Traffic Domain: 0 1) AppFlow Policy Name: _UG_VPN_myUnifiedGateway_Transparent_apfw_pol Priority: 255 GotoPriority Expression: END Flowtype: REQUEST 1) Cache Policy Name: _cacheTCVPNStaticObjects Priority: 10 GotoPriority Expression: END Flowtype: REQUEST 2) Cache Policy Name: _cacheOCVPNStaticObjects Priority: 20 GotoPriority Expression: END Flowtype: REQUEST 3) Cache Policy Name: _cacheVPNStaticObjects Priority: 30 GotoPriority Expression: END Flowtype: REQUEST 4) Cache Policy Name: _mayNoCacheReq Priority: 40 GotoPriority Expression: END Flowtype: REQUEST 5) Cache Policy Name: _cacheWFStaticObjects Priority: 10 GotoPriority Expression: END Flowtype: RESPONSE 6) Cache Policy Name: _noCacheRest Priority: 20 GotoPriority Expression: END Flowtype: RESPONSE 1) VPN Session Policy Name: UG_VPN_SPol_10.0.100.111 Type: Advanced Priority: 58000 GotoPriorityExpression: NEXT 1) Url: bing 2) Url: baidu 3) Url: webgoat 1) VPN Application: Intranet 1) Primary ldap authentication policy name: 192.168.185.191_LDAP_pol Priority: 60 1) Primary local authentication policy name: NS_GATEWAY_DEFAULT_LOCAL_POL Priority: 64000 1) Intranet IP: 192.168.185.161 netmask: 255.255.255.224 1) VPN PortalTheme: X1 1) Eula : Security Message Done =================================================== |
|
在Win7MSP上访问统一网关站点: 输入用户名和密码以及接受许可,登录网站,选择无客户端访问: 使用无客户访问的方式浏览内网站点: 在移动设备IPhone上使用Citrix VPN软件,进行UG的连接: UG可以使用两种方式进行连接 一种是基于SSL VPN的网络访问,另外一种是基于浏览器的无客户访问。 在MPSVPX-95中,可以看见统计的UG数据: |
|
验证结束 |
安全WEB网关功能测试 |
|
步骤 |
操作 |
在NSVPX-91上验证SWG是否配置正确: =================================================== > show cs vserver mySWG_Transparent mySWG_Transparent (*:*) - PROXY Type: CONTENT State: UP[Certkey not bound] Last state change was at Wed Feb 28 13:54:29 2018 Time since last state change: 0 days, 01:30:06.330 ARP:DISABLED Client Idle Timeout: 180 sec Down state flush: ENABLED Disable Primary Vserver On Down : DISABLED Appflow logging: ENABLED State Update: DISABLED Default: Content Precedence: RULE L2Conn: OFF Case Sensitivity: ON Authentication: OFF 401 Based Authentication: OFF Listen Policy: NONE IcmpResponse: PASSIVE RHIstate: PASSIVE Traffic Domain: 0 1) AppFlow Policy Name: _swg_mySWG_Transparent_apfw_pol Priority: 11 GotoPriority Expression: END Done =================================================== |
|
在Win2008R2AD这台机器上,访问外网,产生流量数据: 在MPSVPX-95上验证通过安全网关审计的流量: |
|
验证结束 |
无缝集成文件流杀毒网关功能测试 |
|
步骤 |
操作 |
验证NSVPX-91上无缝集成文件流杀毒网关配置是否正确 =================================================== > show cs vserver cs_vsrv_uploadfile cs_vsrv_uploadfile (192.168.195.112:80) - HTTP Type: CONTENT State: UP Last state change was at Wed Feb 28 13:57:11 2018 Time since last state change: 0 days, 02:38:10.190 Client Idle Timeout: 180 sec Down state flush: ENABLED Disable Primary Vserver On Down : DISABLED Appflow logging: ENABLED Port Rewrite : DISABLED State Update: DISABLED Default: Content Precedence: RULE Vserver IP and Port insertion: OFF L2Conn: OFF Case Sensitivity: ON Authentication: OFF 401 Based Authentication: OFF Push: DISABLED Push VServer: Push Label Rule: none Listen Policy: NONE IcmpResponse: PASSIVE RHIstate: PASSIVE Traffic Domain: 0 1) Responder Policy Name: ICAPRequest Priority: 100 GotoPriority Expression: END 1) Content-Switching Policy: cs_pol_uploadfile Target LB: lb_vsrv_test Priority: 100 Hits: 0 Done > show responder policy ICAPRequest Name: ICAPRequest Rule: HTTP.REQ.HEADER("Content-Type").CONTAINS("multipart/form-data") && sys.HTTP_CALLOUT(http_callout_squid) Responder Action: ICAPError UndefAction: Use Global LogAction: Use Global Hits: 0 Undef Hits: 0 Policy is bound to following CS VSERVERS 1) Bound to: REQ VSERVER cs_vsrv_uploadfile Priority: 100 GotoPriorityExpression: END Done =================================================== |
|
上传正常文件: 上传病毒文件: 查看策略是否命中 查看文件流杀毒服务器的日志: |
|
验证结束 |
应用防火墙功能测试 |
|
步骤 |
操作 |
验证NSVPX-91上应用防火墙配置是否正确 =================================================== > show lb vserver lb_vsrv_webgoat lb_vsrv_webgoat (192.168.195.101:443) - SSL Type: ADDRESS State: UP Last state change was at Wed Feb 28 15:51:14 2018 Time since last state change: 0 days, 01:00:34.860 Effective State: UP Client Idle Timeout: 180 sec Down state flush: ENABLED Disable Primary Vserver On Down : DISABLED Appflow logging: ENABLED No. of Bound Services : 1 (Total) 1 (Active) Configured Method: SOURCEIPHASH BackupMethod: ROUNDROBIN Network mask: 255.255.255.255 Mode: IP Persistence: SOURCEIP Persistence Mask: 255.255.255.255 Persistence Timeout: 2 min Vserver IP and Port insertion: OFF Push: DISABLED Push VServer: Push Multi Clients: NO Push Label Rule: none L2Conn: OFF Skip Persistency: None Listen Policy: NONE IcmpResponse: PASSIVE RHIstate: PASSIVE New Service Startup Request Rate: 0 PER_SECOND, Increment Interval: 0 Mac mode Retain Vlan: DISABLED DBS_LB: DISABLED Process Local: DISABLED Traffic Domain: 0 TROFS Persistence honored: ENABLED Retain Connections on Cluster: NO 1) svc_webgoat (192.168.185.73: 8080) - HTTP State: UP Weight: 1 1) Rewrite Policy Name: rw_pol_sendtowebgoat Priority: 101 GotoPriority Expression: NEXT Flowtype: REQUEST 1) AppFlow Policy Name: lb_vsrv_webgoat_Transparent_apfw_pol Priority: 255 GotoPriority Expression: END 1) Policy : appfw_pf_webgoat Priority:100 GotoPriority Expression: NEXT Done =================================================== |
|
验证结束 |
WEB应用安全解决方案测试验证相关推荐
- web应用程序并发测试_测试并发应用
web应用程序并发测试 本文是我们名为Java Concurrency Essentials的学院课程的一部分. 在本课程中,您将深入探讨并发的魔力. 将向您介绍并发和并发代码的基础知识,并学习诸如原 ...
- Web Service 安全性解决方案(SOAP篇)
拼吾爱程序人生 » 软件编程 » Visual Studio.NET » Web Service » Web Service 安全性解决方案(SOAP篇) Web Service 安全性解决方案(SO ...
- web端项目展开测试步骤
web端项目展开测试步骤: 1.功能测试 1.1链接测试 链接是Web应用系统的一个主要特征,它是在页面之间切换和指导用户去一些不知道地址的页面的主要手段.链接测试可分为三个方面.首先,测试所有链接是 ...
- [原创]网站HTML,XHTML,XML,WML,CSS等测试验证工具介绍
[原创]网站HTML,XHTML,XML,WML,CSS等语言测试验证工具介绍 1 在线网站语言测试检查网站: HTML和XHTML测试检查网站: http://validator.w3.org/ 或 ...
- 【小迪安全】web安全|渗透测试|网络安全 | 学习笔记-5
目录 目录 第25天:WEB漏洞-XSS跨站之原理分类及攻击手法 第26天:WEB漏洞-XSS跨站之订单及Shell箱子反杀记 第27天:WEB漏洞-XSS跨站之代码及httponly绕过 第28天: ...
- Web界面应用的测试内容
Web界面应用常用的测试方法: 一.输入框: 1.字符型输入框: (1)字符型输入框:英文全角.英文半角.数字.空或者空格.特殊字符"~!@#¥%--&*?[]{}"特别要 ...
- 如何对web系统开展无障碍测试
Accessibility test(无障碍测试)是一种测试方法,旨在评估软件.网站或其他数字产品的可访问性,以确保它们能够被身体残障或其他特殊需求的用户使用.这些测试通常包括使用辅助技术,如屏幕阅读 ...
- 软件测试-------Web(性能测试 / 界面测试 / 兼容性测试 / 安全性测试)
Web(性能测试 / 界面测试 / 兼容性测试 / 安全性测试) 一.Web性能测试:(压力测试.负载测试.连接速度测试) 1.压力测试: 并发测试 (如500人同时登录邮箱) 2.负载测试 ...
- 软件测试面试题之如何对web系统进行全面测试(持续更新中,求关注)
如何对web系统进行全面测试? 这是在软件测试面试中经常会问到的一个问题,但要全面而合理地解答此问题却有点难度,以下是我在面试过程中的总结整理,希望对大家有所帮助. 一. 功能测试 1.链接测试 链接 ...
最新文章
- 使用Mycat构建MySQL读写分离、主从复制、主从高可用
- SQLSERVER 2008 R2中的全文检索
- 8、Semantic-UI之其他按钮样式
- CTFshow 命令执行 web67
- Android 内容提供器---内容提供器基础(内容的统一资源标识(URIs))
- c现代方法8.2节 deal.c程序自己编写
- SpringBoot_web开发-【实验】-登陆拦截器
- 【计算机网络】ISO/OSI模型
- PHP开发erp账号登陆问题,浪潮ERP软件E系列创建账套时提示“由于登陆不正确、请重新登陆” | 浪潮888博客...
- BOE(京东方)与吉利控股集团签订战略合作协议
- 伏安特性曲线实验报告_【鼎阳硬件智库原创 | 测试测量】动手测量电解电容器的阻抗频率特性...
- android自定义手势解锁View
- 自学python入门训练营 李笑来_如何看待李笑来发布的Python教程《自学是门手艺》?...
- 英语在线听力翻译器_英语听力翻译器在线翻译PC版-英语听力翻译电脑版下载 v2.1.4--PC6电脑版...
- 苹果开发者账号添加受信任电话号
- 微信公众号支付 java_微信支付之公众号支付(java实现)
- php sapi模式,PHP SAPI介绍
- Chromium网页Render Layer Tree创建过程分析
- pl/sql基础知识—定义并使用变量
- 推荐一个查询研究者方向和影响力的网站| 也可以查询杂志是否有专刊开放
热门文章
- HDFS中的集中缓存管理详解
- 从后台获取的数据渲染到页面中的dom操作
- Linux yum安装
- Python递归、反射、2分查找、冒泡排序
- ISP图像调试工程师——3D和2D降噪(熟悉图像预处理和后处理技术)
- iOS开源项目周报0302
- 获取context path或者basePath
- Gym 100818I Olympic Parade(位运算)
- _视图控制对象生命周期-init、viewDidLoad、viewWillAppear、viewDidAppear、viewWillDisappear等的区别及用途...
- NOIP2010-普及组初赛C语言解析