EXP9 Web Security Basics

20155336 "Cyber Confrontation" EXP9 Web Security Foundation

最后一次实验~~The journey is hard, the road is bumpy, but it is very enjoyable.

First, the basic question answer

• 1.SQL injection attack principle, how to defend
  • Principle: An attacker inserts a SQL command into a Web page's various query strings to spoof the server to execute a malicious SQL command.
  • Defense: Restrict the input of text boxes in the design of Web pages, such as the length limit, the # number cannot appear, etc.
• 2.XSS attack principle, how to defend
  • Rationale: The attacker inserts some HTML or scripting language into the input field to enable the server to execute those code
  • Defense: Keyword defense, such as filtering <script> this sensitive word, reduces the risk of attack
• 3.CSRF attack principle, how to defend
  • Principle: General Person A after landing, in their own host page click on the various types of requests are sent in the name of a, that is, a has a permission; attacker B injects a malicious CSRF attack URL address on the Web page, and after a click, B borrows the identity of a for illegal operation, that is, B has the permission of a.

  • Defense: 1.cookie storage time should not be too long; 2. The server requires the user to enter the corresponding verification code; 3. The server tries to use the Post method in the form

    Second, the experimental process record

Open Webgoat

• It's a bit of a thrill to see everyone else getting crazy about installing the JDK. Finally realized what is called the ancestors planted tree posterity, thanks to teacher Liu and teacher Liu's virtual machine, for me to provide a lot of convenience, worship worship
• What is Webgoat:webgoat is a flawed Java EE Web application maintained by the famous owasp, which is not a bug in the program, but is deliberately designed to teach Web application security courses. This application provides a realistic teaching environment that provides clues to the user completing the course. This environment requires the support of Apache Tomcat and the Java development environment.

• Type java -jar webgoat-container-7.0.1-war-exec.jar . When you do the experiment, keep the terminal in a running state.

• As you can see, webgoat is using port 8080.

• Direct access to port 8080 on the browser can jump to the webgoat, using the default account password is completed.

• Why not directly translate the Web page directly like Google ....

Injection Flaws

• There are many kinds of attack experiments on the left, first choose a seemingly simple command injection to try
  

• The command injection attack poses a serious threat to any parameter-driven site. It is good practice to clean up all input data, especially those used in OS commands, scripts, and database queries. Ask our application to use System commands to return the contents of the file.

• Open the source code of a webpage
  

• The subject we want to change BackDoors.help the code behind, so direct search BackDoors.help , found after the join"& netstat -an & ipconfig"
  

• Enter when you are finished.
  

• Select the code option you just added and then view it. Network port usage and IP address appears, (O゜▽゜) o☆[bingo!]
  

Numeric SQL Injection

• To try to inject the SQL string that causes all the weather data to appear, the application takes the input from the selection box and inserts it at the end of the pre-formed SQL command.

• Search for Colombia directly in the search box, then use the 1=1, according to the Execute SQL
  
  

Log Spoofing

• The title means: Use the format of the log, use characters such as newline, cheat the administrator. You can use a decoy to display a “admin” "successful login" in the log using a user name, such as entering in a User Name text box, hgy%0d%0aLogin Succeeded for username: admin where %0d a carriage return is %0a a newline character:

String SQL Injection

• This form allows users to check their credit card numbers and use SQL injection to make all credit card numbers visible.
• is still 1=1 or door-injected
• The subject is injected directly into the last nameSnow‘ OR ‘1‘=‘1
  
• A bit of a problem here is that clicking Go has been unresponsive. Actually, just a little bit restart to start again.
• Try to enter your own name of the keyword, found no impact. So it feels like the truth is really strong, so that the front of the keyword seems to have no effect
  

Lab:sql Injection (Stage 1:string SQL injection)

• Topic meaning: Using string SQL injection to bypass authentication
• Here we are going to password = ‘’ inject, theoretically as long as the execution of the pwd = ‘ or 1=1 --。 statement is changed to:
  select * from User where username=‘’and password =‘’ or 1 = 1 --‘So you can log in to any user, enter the password‘ or 1=1 --
  
• Here, because the password length in the source code is up to 8 bits, change the limit just fine

Stage 3:numeric SQL Injection

• The title means: This is on the basis of the previous, landing Larry, and then browse staff information click ViewProfile on it can be
  
• Viewprofile returns the first data to be queried each time, the boss should be the highest salary, so in order to put the boss to the first SQL injection sort as follows:101 or 1=1 order by salary desc --
  
  

Database backdoors

• Let's take a look at 102 user information.
  
• What are these people, the family opened the bank
• By entering SQL statements to modify the content of the information, such as input102; update employee set salary=1000000 where userid=102；
  
• Hey hey write big, dream everything has ~
• Inject a trigger, trigger content: 102;create trigger backdoor before insert on employee for each row begin update employee set email=‘[email protected]‘WHERE userid = 102; Change the email address of all newly registered users to[email protected]
  

Blind Numeric SQL Injection

• The question means: blind test, roughly is to let you guess, and then gradually narrow the scope. We want to know its pin value, we can only guess, just like the dichotomy in mathematics, the interval is gradually reduced, and finally a more precise range is determined. First, let's try 200,101 AND ((SELECT pin FROM pins WHERE cc_number=‘1111222233334444‘) > 200 );
  
• The injected code shows Account number is valid that the representation is true, so its range is greater than 100. Then we'll try a bigger 2000,101 AND ((SELECT pin FROM pins WHERE cc_number=‘1111222233334444‘) > 2000 );
• When I injected 2500, it changed.
  
• So we're roughly certain that its range is between 2000~2500.
• Then we open the virtual machine's Brup, because the 8080 port is already occupied, so we will add another port. Then set the port number to the port number you just set.
  
  
• Set the Find interval 2000~2500 and set it to 1 for precise step
  
• In Options , select Start attack start attack
  

• It can be found that 2364 is clearly different from other, very suspicious, it may be possible to verify the 2364 input, sure enough is correct.
  

  Three, the experiment summary and experience

EXP9 Web Security Basics