20145301 Zhao Jiaxin "Cyber Confrontation" EXP9 Web Security Fundamentals Practice Experiment Answer questions (1) SQL injection attack principle, how to defend
SQL injection attack principle: SQL is an ANSI standard computer language used to access and manipulate database systems. SQL statements are used to retrieve and update data in the database. SQL injection is a technique for modifying a background SQL statement to achieve the purpose of executing code execution by manipulating input. By constructing a special input as a parameter to the Web application, the execution of an attacker's actions by executing SQL statements is mainly due to the fact that the program does not filter the user input data carefully, resulting in illegal data intrusion into the system.
There are two primary forms of SQL injection attacks. One is to insert the code directly into a user input variable that is concatenated with the SQL command and makes it executable. The second is an indirect attack method that injects malicious code into a string to be stored in a table or stored as the original book. The stored string is connected to a dynamic SQL command to execute some malicious SQL code.
SQL Injection Defense Method:
- The normal user and the system administrator user's permission to have the strict distinction.
- Force the use of parameterized statements.
If you are writing an SQL statement, the variables entered by the user are not embedded directly into the SQL statement. Instead of passing this variable through parameters, it is possible to effectively prevent SQL injection attacks.
- Enhance the validation of user input.
To strengthen the inspection and validation of user input content, to filter the input data, and to filter the keywords of common SQL statements. Tests the contents of a string variable, accepting only the desired value. Rejects input that contains binary data, escape sequences, and comment characters.
- Use the security parameters that are available from the SQL Server database.
To reduce the negative impact of injection attacks on SQL Server databases, a relatively secure SQL parameter has been specifically designed in the SQL Servers database. In the database design process, engineers should try to use these parameters to eliminate malicious SQL injection attacks.
(2) The principle of XSS attack, how to defend
-
XSS attack principle
- XSS is a computer security vulnerability that often appears in web apps that allows malicious Web users to embed code into pages that are available to other users. For example, the code includes HTML code and client script. An attacker could bypass access control by using an XSS vulnerability-such as the Origin policy (same). This type of vulnerability is used by hackers to write more harmful phishing (Phishing) attacks. For cross-site scripting attacks, the hacker consensus is that cross-site scripting attacks are a new type of "buffer overflow attack", and JavaScript is the new "ShellCode". It is called XSS in order to differentiate it from CSS cascading style sheets. The main purpose of the
- XSS attack is to find a way to get a cookie for the target attack site, because the cookie is equivalent to having a seesion, and with this information you can log on to the website on any PC that can access the Internet.
XSS Defense measures
- HttpOnly preventing the hijacking of cookies
HttpOnly was first proposed by Microsoft, and has become a standard so far. The browser will disallow JavaScript on the page to access cookies with the HttpOnly attribute. Currently mainstream browsers support the HttpOnly solution is XSS after the cookie support attack.
- Input check for filtering
The input check is generally to check whether the data entered by the user contains special characters, such as <, >, ', ', etc., if special characters are found, the characters are filtered or encoded. When malicious code is displayed as a property of a tag, by using "Truncate attributes to open up new properties or malicious methods: both the single and double quotes that exist in the property itself need to be transcoded, the HTML tags and tag attributes that are entered by the user are whitelisted, and the tags and attributes of some vulnerabilities can be specifically filtered."
- HTML attribute encoding of untrusted data when inserted into HTML attributes
This principle refers to HTML attribute encoding of the data when you are inserting the non-trusted data into the value portion of the HTML attribute (for example, width, name, Value property) (data value). It should be noted, however, that this rule does not apply when inserting data into an event-handling attribute (such as onmouseover) of an HTML tag, which should be encoded in JavaScript using the principle 4 described below.
(3) XSRF attack principle, how to defend
The principle of CSRF
- Cross-site Request forgery (cross-site solicitation forgery), also known as CSRF, is a common web-attack approach
The attack form is described as follows:
The user logs in and accesses a normal site
In the same browser instance, keep the normal web site open, the user opened a malicious website (malicious site through a number of links or spam and other forms to trick users to point a link)
Malicious Web pages contain malicious code.
To complete a csrf attack, the victim must complete two steps in turn: 1. Log on to trusted Web site A and generate cookies locally. 2. If you do not log out a, visit the dangerous website B.
XSRF's defense
In some important operation to change the system data (such as Submit order, change password, delete). ), add an action token for verification. This action token is a hidden field of the form as it was previously generated by the application, such as when the form was drawn.
Action token = F (k,c), where K is a key that only the application server knows, C is the indicator of the session, can be a picture verification code, or a pseudo-random value.
When an application accepts a request, it first verifies that the action token is legal, checks for C, and then uses F (k,c) to calculate the action token, which is considered safe if the result of the calculation is the same as the action token value submitted by the form.
Experiment Summary and experience
- This experiment was tested and attacked by Webgoat, Webgoat is very suitable for teaching and practiced hand, installation is also very convenient, only need Java jar package, Java environment can be used. You can also have a basic test of your use, do the right to display the check mark. This experiment, respectively, tried SQL, CSRF, XSS attacks, attack scene type is also more abundant, but also relatively simple, distance from the actual combat there is a certain distance, of course, should deal with some design flaws, security is insufficient small site is enough, but also let us more intuitive experience the vulnerability of the web.
- Of course, in addition to understanding all kinds of basic attack means, but also warns us that the site design is not easy, we have learned that the site design is really fur in the fur, not only functional, beautiful and other visual problems. How to avoid the vulnerability that can be exploited in the design process, how to find and rewrite is a problem worth pondering. Can only lament the school curriculum really just take us to get started, play the role of guiding guidance, after still rely on their own to learn to explore, in the failure to step forward.
Practice Process Recording Webgoat
Open Webgoat:java-jar Webgoat-container-7.0.1-war-exec.jar (download Java package first)
Do not close when you get here, minimize it
In the browser input localhost:8080/webgoat, enter the WebGoat direct point login can
SQL INJECTION Command Injection
This problem is required to be able to execute the system command on the target host, we can modify the source code directly by an extension firebug under Firefox, and add "& Netstat-an & ipconfig" next to Csrf.help:
You can then see our modified values in the drop-down menu:
Select the modified value and point to view, you can see the command is executed, the system network connection situation:
20145301 Zhao Jiaxin "Cyber Confrontation" EXP9 Web Security Foundation Practice
