20145236 "Cyber Confrontation" EXP9 Web security Basic Practice one, the basic question answers:
- SQL injection attack principle, how to defend
- SQL injection: This is done by inserting a SQL command into a Web form to submit or entering a query string for a domain name or page request, eventually reaching a malicious SQL command that deceives the server.
- The ability to inject (malicious) SQL commands into the background database engine execution by using an existing application, which can get a database on a Web site with a security vulnerability by entering (a malicious) SQL statement in a Web form, rather than executing the SQL statement as the designer intended.
- The user's input can be verified by regular expressions, or by limiting the length, to the single quotation mark and the double "-" conversion, and so on. The exception information applied should give as few hints as possible, preferably using a custom error message to wrap the original error message and store the exception information in a separate table.
- The principle of XSS attack, how to defend
- XSS (cross-site scripting cross-domain scripting attack) attacks are the most common web attacks, with a focus on "cross-domain" and "client-side execution." There are three types of XSS attacks, namely: reflected XSS (reflection-based XSS attack), Stored XSS (storage-based XSS attack), dom-based or local XSS (DOM-based or native XSS attack)
- procedure : An attacker discovers an XSS vulnerability--constructs code--sent to the victim--the victim opens--the attacker acquires the victim's cookie--to complete the attack
- Preventive measures :
- Reflective type: Front end in the display of server data, not only the label content needs to be filtered, escaped, even the attribute value may also be required. When the backend receives the request, the authentication request is an attack request and the attack is masked.
- Storage Type: The first is to filter the server, because the front-end check can be bypassed. When the server does not check, the front end in a variety of ways to filter the possible malicious script inside, such as the script tag, the special characters converted to HTML encoding.
- CSRF attack principle, how to defend
- CSRF (Cross-site request forgery) cross-site requests forgery, because the target station has no token/referer restrictions, resulting in the attacker can complete the user's identity to achieve various purposes. Depending on how the HTTP request is used, the CSRF can be divided into two types, the csrf of the Get type and the csrf of the post type.
- Process: Attacker discovers CSRF Vulnerability-constructs code-sent to victim-victim open-Victim execution code-complete attack
- The current mainstream approach is to use tokens to defend against CSRF attacks.
Second, the practice process record open webgoat
- Enter the webgoat in the terminal
java -jar webgoat-container-7.0.1-war-exec.jar
until it appearsINFO: Starting ProtocolHandler ["http-bio-8080"]
- Open the browser and enter
localhost:8080/WebGoat
webgoat into the browser. (note "WebGoat" is case sensitive), enter WebGoat (user name and password default)
(i) SQL injection numeric SQL injection
- This step uses the Burpsuite to do the proxy.
- The problem does not have a text box to let us directly enter the operation, we can only slide the text box to select a place, the generated code of the SQL statement may be written in the Web page source, or in the background service, but either way, the form will need to write the collected information into the packet over the network to the background , which gives us the chance to tamper with it.
- We first choose a place and query, according to its feedback SQL statement, we need to modify the
station
part, then we need to use another tool burp-suite
, by burp-suite
setting the browser proxy server, as an intermediary server, So we can intercept all the packets sent out of the browser and modify the contents to look like we want.
- Open
burp-suite
the proxy
option to add a options
new agent (default is 8080, but is apache2 occupied)
- After modifying the browser's proxy server, select a city and you will find that
burp-suite
we have just sent out the packet
Log Spoofing
- Test instructions is to let us use admin admin to complete the login, in fact, just to the basic purpose is to log the Administrator admin login successfully this record is written into the log
- First we try, no matter what username we enter, the log shows that the login failed
- This time I tried to make some changes to the input username. Enter guest OK to view feedback results
- So we have a way of thinking. If we enter any user name, then the record we want to write into the log is not the end of our goal, so we consider the code of the newline character can be constructed so that the
guest%0aLogin Succeeded for username:admin
final result shows deception successful
String SQL Injection
- By entering the query's statement, the entire table is displayed, where the input
‘ or 1=1;--
- The SQL statement injected at this point is
SELECT * FROM user_data WHERE last_name = ‘‘ or 1=1;--‘
, that is, querying all the information in the table
Stage 3 Numeric SQL Injection
- This experiment requires us to log in as Larry, to achieve the profile of the Neville to browse, first with the same way as the previous experiment landed, so click
ViewProfile
is invalid
- Change the behavior from the agent to
Login
ViewProfile
- Change the ID to Neville ID and put it first
112 or 1=1 order by salary desc--
- Success saw the message of the Neville.
Blind Numeric SQL Injection
- As the title means, we can verify that the numbers we have entered are legitimate, for example
101
, so we can construct 条件1 AND 条件2
and see if the final result is legitimate to determine 条件2
whether it is true.
- For example, we can construct
101 AND ((SELECT pin FROM pins WHERE cc_number=‘1111222233334444‘) > 5236 );
to verify that the PIN value it sets is greater than 5236, and by this principle we can constantly narrow the value of the pin we are searching until we find the PIN value
- However, I do not understand that is why not by direct input digital observation results for valid or invalid to determine whether the number is greater than or less than the pin value, by means of the dichotomy can also be step-by-step approximation of the set pin value, do not know why still need to inject
Blind String SQL Injection
- The basic idea is similar to the previous blind digital injection, but the guessing object becomes the ASCII code corresponding to the character, which is essentially a guess of the number.
- Constructs
101 AND (SUBSTRING((SELECT name FROM pins WHERE cc_number=‘4321432143214321‘), x, y) = ‘h‘ );
to test what the strings we need are.
- Because the number of tests is much more than the previous one, it is completely dependent on the manual input of the workload is too large, in the use of the
burp-suite
intruder
payloads
blasting, test all the possibilities
(ii) XSS attack phishing with XSS cross-site scripting phishing attack
In the menu bar, select Cross-site scripting
, phishing with xss
this attack is similar to an advanced version of the previous exercise, not only can insert the script tag can also insert other tags to form the complete Web code (below)
</form><script> function hello(){ alert("hello,5319"); }</script><form> <br><br>
- Forge a Web page and pass the acquired username and password to
WebGoat/capture
name="login" value="login" onclick="hack()
Click login
, execute hack()
, get username password, and pop Windows user name Had this been a real attack... Your credentials were just stolen.
= "your username" Password = "Your password"
Stored XSS Attacks Storage type XSS attack
- Storage-based XSS attacks, which store the attacker's data on the server side, are accompanied by attacks that persist with the attack data.
- Enter in message
<script>alert("It‘s 5236!");</script>
- When a hyperlink appears, a click pops up:
It‘s 5236!
- You can use the entered script to steal information.
- The attack code is stored on the server side and is executed each time it is loaded.
Reflected XSS Attacks
- Reflection-based XSS attacks
- Inject in the input box to
<SCRIPT>alert(document.cookie);</SCRIPT>
getcookies
- You can also enter the specified URL value, where the effect is a popup box
http://www.targetserver.com/search.asp?input=<script>alert("hello20145236");</script>
(iii) XSCF attack CSRF (cross Site Request forgery)
- Enter this in the message
, 280 is the scr,900 of my page is the menu,100000 of my page is the amount of money transferred
- Click
submit
, the code will be executed
CSRF Prompt By-Pass
Similar to the previous experiment, a malicious request was also made by mail, where the request confirmation was added, so two iframe modules were required, as follows:
<iframe src="attack?Screen=自己的src&menu=自己的menu&transferFunds=5000"> </iframe><iframe src="attack?Screen=自己的src&menu=自己的menu&transferFunds=CONFIRM"> </iframe>
Three, the experiment summary and experienceThis time the experiment used to webgoat, in which the SQL injection, XSS attack and CSRF attack, because it is a full English page so the English ability also has a certain test = =, in the last Web Foundation experiment, my understanding of SQL injection, XSS attack is only superficial understanding, The implementation of the function is also very simple, these points of knowledge in this experiment has been very intuitive learning, and this time the experiment also warns us, do the website programming when must be the user input information to do a legitimate judgment, otherwise it will be very dangerous.
20145236 "Cyber Confrontation" EXP9 Web Security Foundation Practice