Bước 1: Tại trình duyệt của máy khá

Step 1: In the client's browser type the web address into the browser, which will create the HTTP request sent to the web application server. If successful, it will load the site about vice versa if that fails I have to check the connection from the client to the web server is to smoothly might try using the ping command.Step 2: once the download web site, the web server requires user login account name and password, of course users must know I am using the application and your account, your password is. If you don't have an account we can register for an account to be accessed.Step 3: login successful message is displayed on the client browser. Suppose a user wants to perform cash bank account, users using the web application to withdraw to bank account. After taking steps to withdraw money as required, in the web server requested packets to the web application, the web application will check your account has sufficient funds at least be pulled or not if enough then it transfers to the server database.Step 4: In the server database it will query the information needed to calculate as the residual account number and stores the necessary information such as time, account information, etc.Step 5: once the query is complete, it will send back to the client the necessary notifications. CHAPTER 2: the TECHNIQUES of ATTACKS and WEB APPLICATION SECURITY FUNDAMENTALS2.1 the FLAWS in CHECKING the DATA ENTERED2.1.1 buffer overflow (Buffer Overflow)2.1.1.1 attack techniquesA volume of data that is sent to the application exceeds the amount of data that is allocated to the application is not executed was the next scheduled statement but instead must execute any code because Hackers take on the system. More so than if the application is configured to execute with root access on the system are regarded as hackers have captured the entire system of the web server. Most of the problems arose from the poor programming or new to the profession.For example, consider the following code snippet:Form (char * ch){ char buffer [256]; ...}In the following code if we enter into more than 256 characters will be buffer overflows.2.1.1.2 a number of security measures to overcomeWho set the shelf website or programming need to check carefully the data size when used. I.e., it has handled the exception. for example, as is the case on if that enter more than 256 characters will be buffer overflow so I add the code to handle the exception. As if more input 256 characters, then send a message asking the user to enter correct and allows the user to enter again.2.1.2 Crossed paths (Directory Traversal)2.1.2.1 technical attackApplications that use the file system of the server class application to display information stored temporarily. These files include image files, HTML files. Www folder/root is a root directory containing the web page, which is accessed from a browser. The web application can save inside or outside the www/root.If the application does not check the specials, often used in the path like "/", then it is possible that the application has vulnerabilities to attack across the path. The hacker can request the server send the contents of these files are outside the folder www/root may be/etc/password.For example, Hackers on the site read the informationhttp://www.juggyboy.com/.../.../index.html But if the Hacker changed the file to retrieve the following: http://www.juggyboy.com/get/process.php./.../.../.../etc/password So Hackers could gain access to the folder containing the password of the server system. As such, he has what he needs.

Step 1: The client browser type in the website address, at which the browser makes an HTTP request sent to the web application server. If successful, it will be loaded on the opposite site if failures are to test the connection from the client to the web server is to smoothly can try using the ping command.
Step 2: After loading the web page , web servers require user login account name and password, of course, users have to know what you're using applications and accounts, passwords are. If no account can we sign up for an account to get access.
Step 3: Notification successful login displayed on the client browser. Assuming the user wants to make a withdrawal in bank accounts, users use web applications to withdraw bank account. After taking steps to withdraw money on demand at the web server, the request packet will arrive withdrawals web application, web application will check this account has sufficient funds to be withdrawn or at least not if it's enough Go to the database server.
Step 4: At the database server will query the information needed to calculate the surplus as account numbers and store the necessary information such as time, information Account details ...
Step 5: Once the query is complete, it will return to the client the necessary notification. CHAPTER 2: TECHNICAL AND SECURITY OFFENSIVE WEB BASIC APPLICATIONS OF OMISSIONS 2.1 CHECK IN ON IMPORT DATA 2.1.1 Buffer overflows (Buffer Overflow) 2.1.1.1 Technical attacked a data volume is sent to the application reached the allocated amount of data that the application fails The test is intended next statement, but instead must be enforced any code put into the system by Hacker. More serious if the application is configured to execute with root privileges on the system, as Hacker had captured the entire web server system. Most of the problems arising from weak or programmers novice. Example: Consider the following code: Form (char * ch) { char buffer [256]; ... } In the following code if we I entered more than 256 characters, it will overflow the buffer. 2.1.1.2 Some security measures to overcome web designer or programmer must check the data size while in use. Processing means there are exceptions.  For travelers: As was the case on if that entered into more than 256 characters, it will be one more so buffer overflow in the code to handle exceptions. As if entering more than 256 characters, the notice requires the user to enter accurate and allows users to re-enter. 2.1.2 Crossing paths (Directory Traversal) 2.1.2.1 Technical attacking application uses file system server system in class "applications" to display the information stored temporarily. The file includes image files, HTML files. Directory www / root is a root folder that contains the site where the access from the browser. Web applications can be saved inside or outside www / root. If the application does not check the special character, often used in the path as "/", it is possible that the application has holes for pulsed the excess path. Hacker can ask the server send the content as a result of these files outside the directory www / root may be the / etc / password. Example: Hacker read information website http: //www.juggyboy. com /.../.../ index.html but if Hacker changes required files accessed as follows: http: //www.juggyboy.com/get/process.php. / ... / ... /.../etc/password So hackers have access to the folder containing the password of the server system. Thus, he had what he needed.