EXP9 Web Security Basics

EXP9 Web Security Foundation 0x0 Environment Description

Finally comes the web security direction, this is the course of the last experiment.

I'm just a web-safe little white, not familiar with this area. I hope that through this experiment, I will learn about the basic vulnerabilities in web security, as well as the basic exploit techniques.

Of course, the basic knowledge must be filled, after the learning process should be short of what to fill.

• Training environment: OWASP WebGoat Project 8.0
• The 8.0 version of Webgoat is more like a teaching platform, rather than hacking platform
• Temporarily only complete the teaching part, the challenge part of the CTF needs to have the strength later to complete.

0x1 Basic Skills--http and HTML basics

WebGoat 8.0 The first part of teaching is to learn the HTTP protocol, set up HTTP proxies, and modify HTTP packets.

Of course, as a owasp project, the tool used is owasp zap, the open source scanner.

First set the port of the HTTP proxy server

Then configure the HTTP proxy in the browser, here I use Firefox

Be sure to note that the localhost and 127.0.0.1

Exercise--Modifying HTTP packets

Webgoat has an exercise that modifies HTTP packets, with the following requirements:

• Set method to get
• Add header field ' X-request-intercepted:true '
• Change the input value ' changeme ' to ' requests is tampered easily ' (no single quotes)

Click Zap's Green Circle button to intercept the request, and then we can modify and send it as required.

Note that when you give the Post method to the Get method, the parameter is not in the HTTP packet, but instead becomes the URL parameter.

Practice-Bypass 2FA (two factor authentication)

Webgoat provides such an exercise, we want to reset the password, we need to answer the secret protection problem.

But we do not know the answer to the question, we modify the HTTP Request packet spoofing system via ZAP, thus resetting the password

Simply enter data into the form and intercept the HTTP request with Zap.

In the beginning, no matter how I changed, there was no way to pass the verification. And then I saw the solution on YouTube.

The secQuestion0 should be secQuestion00, SecQuestion1 changed to SecQuestion01, and then submitted on it.

Why is it that you can succeed? I haven't figured it out yet.

Practice-Insecure login (Insecure login)

This tutorial in Webgoat tells us that transmitting unencrypted sensitive information is very dangerous.

The requirement of the practice is to sniff the data and get the username and password.

We can find username and password by using ZAP to view HTTP request packets directly.

Submit the above data to complete this exercise.

Practice-Client Side filtering

This exercise tells us that sending too much information to the client can cause serious access control problems

Our goal in this exercise is to get more access to information.

The requirement for this exercise is to get the CEO's salary information, and the CEO's name is Nevile Bartholomew.

With my permission it is impossible to see the CEO's information on the page.

But the HTML source has leaked the CEO's message.

We easily got the answer to the exercise.--ceo's salary is 450000.

The problem is still quite simple.

0x2 Course Injection Vulnerability (injection Flaws)

This part of the teaching has four items, SQL injection, SQL injection (Advanced), SQL Injection (mitigations), XXE

0X31 SQL Injection (two exercises completed)

First, basic SQL injection teaching, webgoat introduces string sql injection (string-based SQL injection) and NUMBERIRC SQL injection (digital SQL injection)

A successful SQL injection can:

• Read and modify sensitive data in the database
• Perform database administrator actions
  • Close audit or DBMS
  • Intercept tables and logs
  • Add user
• Recovering the contents of a given file in the DBMS file system
• List instructions for the operating system

SQL Injection Example

Possible string injections are:

"select * from users where name ='""'";

Possible character-type injections are:

"select * from users where employee_id = "  + userID;

The input that an attacker can provide is

• UserName = Smith ' or ' 1 ' = ' 1
• UserName = ' or 1=1--
• UserID = 1234567 or 1=1
• UserName = Smith '; drop tables users; Truncate Audit_log

The Web application executes

• SELECT * from users where name=' Smith ' or ' 1 ' = ' 1 '
  • SELECT * from users where name=' Smith ' or TRUE
• SELECT * from users where employee_id = 1234567 or 1=1

In this way, all records are returned from the database

Practice 1--string SQL Injection

Just use the techniques given in the Webgoat tutorial.

Practice 2--numberic SQL Injection

Use the technique of digital SQL injection.

0x22 SQL Injection (Advanced)--Advance SQL injection (total of two exercises, complete one)

We then explored more advanced SQL injection topics. What we need to know here

• Combined SQL injection technology (combining SQL injection techniques)
• SQL Blinds (Blind SQL injection)

Although Webgoat said that these skills are advanced, but now, it is only the basic technology.

Special characters and special statements you need to know

Webgoat gives special characters.

/* */ 是内联注释（inline comments）--, # 是行注销（line comments）举例：Select * from users where name = 'admin' -- and pass = 'pass'

; 允许执行多个查询（query chaining）举例：Select * from users; drop table users;

', +, || 允许字符串的Char() 无引号的字符串举例：Select * from users where name = '+char(27) or 1=1

However, different databases also have subtle differences.

Some special statements also play a key role in SQL injection:

• Union can overlap a table of databases, ' select ID, text from news union ALL select name, pass from users '
• Joins can connect to other tables

Practice the attempt to get data from another table

Webgoat's first exercise in this section was to find the password of the Dave user.

In order to use the union query, we must know the number of columns selected by the SELECT statement.

I look at other people's blogs as if I want to use order by sort to determine the number of columns.

In fact, here you can directly input the ‘ or 1=1 -- table all out, it is easy to know the number of columns

Dave is not in this form, you need to use the Union statement to show the User_data_system table.

The string we construct is

Found out!! Dave's password is Dave.

But do not know why, when finished webgoat did not light this icon. It is possible that the input attack string is not a standard answer.

In fact, this SQL injection point is very fragile, as long as the input

'; select * from user_daa_system; --

The same effect can be achieved.

Unfinished exercises

The next topic I haven't done yet, but as a Web moe, it's normal.

This is a problem that requires comprehensive SQL injection technology, and may also need to be combined with SQL blinds, and so I study it and then conquer this topic.

0x23 SQL Injection (mitigations)--sql injection mitigation and defense

This section describes the mitigation measures for SQL injection.

For example: Immutable query statements, static query statements, parameterized statements, stored procedures, and so on.

And give a lot of examples, interested students themselves in Webgoat 8.0 to browse.

Webgoat only one problem in this part.

The webgoat given here is to find the IP address of the WEBGOAT-PRD server through order by.

And the form here is not a fragile SQL injection point.

A video on YouTube shows how this problem should be intercepted and then modified by intercepting the HTTP response packet.

？？？？ I don't understand what the problem is in this module. As long as you enter the IP address that exists on the form, Webgoat will prompt you to pass.

Now we see that there is a webgoat-prd in the form.

For the time being this is the problem, although it is not related to the SQL injection skills, but somehow also learned to modify the HTTP response in the JSON data.

In practice, we should pay attention to the principle of least privilege, especially to pay attention to the allocation of read and write permissions in the database connection pool.

Summary

In the teaching module of injection Vulnerability injection Flaws, I have a comprehensive SQL injection exercise that is not done.

Since I don't know much about XML (although I've been exposed to Java Web courses), I didn't complete the XXe part of the tutorial.

If I want to be a technology Daniel, these skills must be mastered.

But since we are only ensemble, let's put it on for the time being.

0x3 Course 2--XSS

XSS can be divided into three categories: reflective, stored, DOM-based XSS.

The first exercise

The first exercise is to get a cookie for the current page, which needs to be in Chrome or a Firefox browser

Open a new tab and enter the content in the address bar

javascript:alert("XSS Test");javascript:alert(document.cookie);

Then compare the two tabs for the cookie consistency.

We can see that the cookies on both tabs are jsessionid=d0913650405f1febc6b4457f52193892

Practice 2--a reflection type XSS

It is a good practice to check all input from the user on the server side. In reflective XSS, an attacker lets the user "click" on a malicious URL with an attack script.

In this exercise, our attack payload is required to contain<script>alert(‘my javascript here‘)</script>

Our task is to find out which one of the form elements is capable of performing XSS.

Choose an input box to enter the attack load at the press of the UpdateCart button

Webgoat gives a hint of passing, which means that the injection point we are trying is right.

(Although I feel puzzled when I do this exercise ...) What effect is this??? ）

Practice 3--confirming a DOM-based XSS

Dom-based XSS is another form of reflective XSS, which is committed through chain contact and acts on the browser. The difference is that the DOM-based XSS does not run on the server, it only executes on the client, and the attacker's malicious code is executed with the privileges of the local account.

the user will not know that an attack has occurred ... A malicious attacker would not use<script>alert(‘xss‘)</script>

In this exercise, you need to look for some "test" code (Webgoat uses backbone as its main JavaScript library). Sometimes, the test code will be left in production (it is often very simple to test the code, lack of security or any quality control!). ）。

Your goal is to find the path and use it. The location of the test code needs to be found here.

According to the prompt, we want to check the Goatrouter.js file, through the Firefox browser developer tools can be viewed.

It's easy for us to find that the path to the test code in the backbone library

Then fill in the answers and submit

The next step should be a real DOM-based XSS attack.

Unfinished exercises

Webgoat's XSS course has two exercises I haven't finished.

One is to try the DOM-based XSS attack, execute the Webgoat.customjs.phoneHome () via the URL, and then get a random number to complete this exercise after committing the random number.

The last exercise gives a scene that accomplishes the same goal as the previous one.

I haven't solved these problems for the time being, let's put them first.

Summary

Even though I did the three teaching exercises in the XSS section, I was confused on XSS.

WebGoat 8.0 gives the tips and teaching very little, but also have a certain foundation to play happy AH.

Basic Problem Solving

(1) SQL injection attack principle, how to defend

• Rationale: Enter a carefully constructed SQL query instruction to the Web application that attacks and exploits an imperfect input validation mechanism that allows the injected code to perform unexpected attack operations.
• Guard against: Input filtering, parameterized SQL statements, or direct use of stored procedures, providing less error information

(2) Xxs attack principle, how to defend

• Principle: Because the input authentication mechanism of the Web application is imperfect, the attacker inserts some malicious client code into the server-side webpage and generates some malicious attack pages on the Web server.
• Guard against: Input validation, output sanitization (escaping HTML tags), eliminate dangerous input points. Improves client browser security.

(3) CSRF attack principle, how to defend

• Principle: The attacker steals user identities, forges malicious requests to the server, and completes the expected operation.
• Defense: Detect User Submissions by Referer, form token tokens, or verification codes, avoid cookies that are common throughout the site, and strictly set the domain of the cookie without exposing the user's privacy information to the page link.

The new experience of experiment

The course is over, and the road to technology is endless.

In this course I played the back door and Trojan, with a variety of tools, tried some loopholes, in the virtual environment of various tinkering, although even the script boy is not, but also experience the thrill of the invasion.

However, even if the tool to spend more, the scanner is ripe, technology is still floating on the surface, the lack of in-depth research, from the real "hacker" is still far from the bad.

People's energy is limited, even the professionals, but only in some segments of the income slightly.

After becoming a civil servant, I should have no access to these technologies.

However, patience, willingness to study, continuous learning, the courage to challenge, advocating freedom and even slightly rebellious geek spirit, is the greatest spiritual wealth I have received.

EXP9 Web Security Basics