20145326 Cai "Cyber confrontation"--web Security Fundamentals Practice 1. Answer questions after the experiment
(1) SQL injection attack principle, how to defend.
Principle:
The SQL injection attack refers to the introduction of a special input as a parameter to the Web application, which is mostly a combination of SQL syntax, the execution of SQL statements to perform the actions of the attacker, the main reason is that the program does not carefully filter the user input data, resulting in illegal data intrusion system.
According to the relevant technology principle, SQL injection can be divided into platform layer injection and Code layer injection. The former is caused by an insecure database configuration or a vulnerability to a database platform, which is mainly due to the fact that the programmer has not carefully filtered the input, thus executing the illegal data query.
Defense:
Never trust the user's input. The user's input is verified and can be manipulated by regular expressions.
Never use a database connection with administrator rights, and use a separate limited database connection for each app.
Do not store confidential information directly, encrypt or hash out passwords and sensitive information.
The application's exception information should give as few hints as possible.
(2) The principle of XSS attack, how to defend.
Principle:
- XSS is a computer security vulnerability that often appears in web applications, allowing malicious Web users to embed code into pages that are available to other users. The code includes HTML code and client script. This type of vulnerability is widely known as being used by hackers to write more damaging phishing attacks. For cross-site scripting attacks, the hacker consensus is that cross-site scripting attacks are a new type of "buffer overflow attack", and JavaScript is the new "ShellCode".
Defense:
- The traditional XSS defense uses feature matching, which is checked in all the submitted information. For this type of XSS attack, the pattern-matching method typically requires the "javascript" keyword to be retrieved, and once the commit message is found to contain "javascript", it is considered an XSS attack.
(3) CSRF attack principle, how to defend.
Principle:
You can understand this CSRF attack: An attacker who stole your identity and sent a malicious request on your behalf. The things that CSRF can do include: Send mail in your name, message, steal your account, even buy goods, virtual money transfer ... Issues include: personal privacy breaches and property security.
CSRF attack is a web-based implicit authentication mechanism! Although the authentication mechanism of the Web can guarantee that a request is from a user's browser, there is no guarantee that the request was sent by the user!
Defense:
- Detect user Submissions by Referer, token, or verification code.
- Try not to expose user privacy information in the link to the page.
- It is best to use the post operation for actions such as user modification and deletion.
- Avoid general-purpose cookies and strictly set the domain of cookies.
2. Experiment Summary and experience
- The experiment used Webgoat to try out XSS attacks, CSRF attacks, and SQL injection attacks, which were very deep. The reason we are able to do these attacks is not just because our web design itself is flawed! And we are in the use of the web, too careless carelessness, did not expect that there will be some dangerous situation. I think that we should learn more about the network attack and defense knowledge and technology, such as how to be able to do XSS attacks, various types of SQL injection attacks, this does not mean that we have to become a hacker, to attack other people's website, to steal other people's information, Instead, to understand what XSS or SQL injection scenarios are, and then discover the cause of the vulnerability, to think about why this bug was created and how to fix it. Network attack and defense is an art, with a game of attack and defense, both sides promote each other, our information society can be better developed.
3. Practice process Record about webgoat
- Webgoat is running on a platform with a Java virtual machine, there are many training courses available, including XSS, thread safety, SQL injection, and so on, our experiment is on the Webgoat platform. According to the instruction given by the teacher, to carry out webgoat installation and login.
- I don't know the difference between logging in with webgoat and logging in with guest .....
XSS attack (1) Stored XSS Attacks
- The purpose of the experiment was to make an XSS attack in the message of the new post.
- That is, write any code that can be executed in the browser, click on a post that was created successfully and be attacked.
- Write massage content as
<script>alert("It‘s 20145326caixinyi~");</script>
(2) reflected XSS Attacks
- The experiment also entered the executable code in the input box and was attacked after submission.
- Use Burpsuite discovery,
UpdateCart Purchase all to post submit data.
Enter your credit card number:values are returned as they are Enter your three digit access code: post , so the JS language is constructed here.- Here is the JavaScript code that gets the cookie in the Access CODE box
<script>alert(document.cookie);</script>
- Although the effect of this experiment is similar to that of a storage-based XSS experiment, the principles used are different, and the stored xss is persisted, and the code is stored in the server.
- Whereas a reflective XSS attack is non-persistent, meaning that its code does not exist in the server, it is generally more dangerous to store-type XSS attacks.
(3) CSRF attack
- The experiment is to write the transferfunds numeric parameter of SRC, menu that can change the attack that is requested by the topic in the new message.
- Can choose the IFRAME module in HTML, automatically connect to open the marked page
- The content written here in the message is
<iframe src="attack?Screen=284&menu=900&transferFunds=5000"></iframe>
- Note that the value of screen and menu in this area may not be the same on everyone's computer, and can be viewed at the bottom of the current page.
- After submission, you will see a new message in the message list, click on the message, the current page will download the message and display it, the user's 5000 yuan, so as to achieve the purpose of CSRF attack.
(4) CSRF Prompt by-pass attack
- Here the contents of the message are written as:
<iframe src="attack?Screen=271&menu=900&transferFunds=5000"> </iframe>
<iframe src="attack?Screen=271&menu=900&transferFunds=CONFIRM"> </iframe>
- The experiment is similar to the previous experiment, and is also a malicious request by mail.
- This is not only a change to the transferfunds numerical parameters, but also a request confirmation of the process, so two IFRAME modules are required.
- The URL needs to use the following two parameters:
transferfunds=5000transferfunds=CONFIRM
SQL injection Attack (1) Numeric SQL injection
- The original function is to select a location to show the weather conditions for a location.
- Now the function of SQL injection is to select a location to show the weather conditions for all locations.
- In Kail, you can use Burpsuite as the Web Proxy to edit the contents of the delivered pages and send them to the server.
- Open Burpsuite. Bind my study number to the port. Address Select Local.
- Modify your browser's preferences.
In fact, the equivalent of Burpsuite as an intermediary server, so that each packet flow through it.
Once set, go back to the topic, choose one, click Go, then go back to Burpsuite. Discover more captured packages:
- Modify station value, back to the proxy click
Intercept is on on the remaining packages do not handle, back to Firefox found that has been successful.
- After Burpsuite is turned off, the browser's preferences will be restored before it can be installed on the web.
(2) String SQL injection
- This experiment and numeric SQL injection similar, originally can only find a person's information, now through the injection of SQL statements to make the entire table display.
- The last name here writes the content
‘ or 1=1;-- , constructs a perpetual-truth. Because last name is a character type, you need to add a single quotation mark at the beginning.
(3) Database backdoors Step1
- This experiment is to implement the injection of multiple SQL statements in the user ID, where 101 is the existing account ID given by the topic;
- Enter the user ID into the 101 or 1=1;update employee set salary=53260;
- Display all the contents of the user's table and change the salary value at the same time.
(4) Database backdoors Step2
- The SQL statement to be used in the experiment is already given in the topic.
- The goal is to use the SQL statement to change the new user's mailbox to a fixed-title mailbox in the user table once the new user is added.
(5) Blind Numeric SQL Injection
- The goal of the experiment was to find a pin size of cc_number 1111222233334444.
- Enter a normal user ID to determine if the user exists.
- We first test the effect, 101 is the known user ID given by the topic.
- The ID of 100 is not legal.
~ Is nothing but a poor lift ~
We know that the pin is a numeric value, and to know the pin for the cc_number, there is only one attempt.
Use <, > to probably determine the scope, with and together, and before for the existence of the user ID, for example 101, once and after the statement, that is, the value of the pin to determine the size of the set, then the presence of the user, and then continue to narrow the scope to find, until the only determined.
In the Numer box, enter101 AND ((SELECT pin FROM pins WHERE cc_number=‘1111222233334444‘) = 2364 );
- After slowly narrowing the range, you can finally determine the pin value between 2000 and 2500, then open burpsuite, set the agent, grab the packet, and then send to intruder for brute force. Specific reference LXM classmate's Blog ~ about this part is written very clearly.
- When the corresponding PIN value is found, the value is entered in the box, and the experiment passes.
(6) Command injection
A command-line injection attack that attempts to inject a command line into the operating system.
But did not find any injected place, so think, should be using Burpsuite injection!
- We analyze the first packet send to repeater:
We found that the modified part was using the command-line cat statement.
The injected command is Accesscontrolmatrix.help "&&ifconfig", preceded by the original normal command.
- && in the command line is the execution of another statement, the last double quotation marks to close the original double quotation marks!
- Click Go again to find the Ifconfig statement executed!
(7) Log Spoofing
- The experiment is to confuse others with the use of%0d%0a (carriage return) and text content in the user name, although there is a successful login text message, but in essence, logon failed.
- The user name here is written in
%0d%0aLogin succeeded !admin
20145326 Cai "Cyber Confrontation"--web Security Foundation Practice
