20155207 "Cyber Confrontation" EXP9 Web Security Foundation

20155207 "Cyber Confrontation" EXP9 Web Security Fundamentals Experiment Content

• About Webgoat
• Cross-site Scripting (XSS) Exercise
• Injection flaws Practice
• CSRF attack

Experiment Summary and experience

This experiment was done in the Webgoat 10 related practices of SQL injection, from last week to learn simple through text box input string Construction SQL statement SQL injected into the text box to submit text or send mail to do XSS attacks, and use e-mail sends HTML objects containing malicious URL requests to take advantage of user's cookie for illegal operation

Basic question Answer

• (1) SQL injection attack principle, how to defend?
  ```

• Principle: SQL injection attack refers to the introduction of a special input as a parameter to the Web application, which is mostly a combination of SQL syntax, through the execution of SQL statements to perform the actions of the attacker, so that illegal data intrusion system.

• Defense:

1. The user's input can be verified by regular expression, double "-" to convert, and so on.
2. Do not use dynamically assembled SQL, you can use parameterized SQL or directly use stored procedures for data query access.
3. Do not use a database connection with administrator rights, and use separate permissions for each application for a limited database connection.
4. Do not store confidential information directly, encrypt or hash out passwords and sensitive information.
5. Apply the exception information should give as few hints as possible.
6. Take the auxiliary software or website platform to detect SQL injection.

- XSS攻击的原理，如何防御？

• Rationale: XSS is a computer security vulnerability that often appears in web applications, allowing malicious Web users to embed code (such as HTML code and client script) into a page that is available to other users, where an attacker can bypass access control with an XSS vulnerability.

• Defense:

1. Feature matching method, in all the submitted information are matched check, the "javascript" is generally searched for the keyword, once found that the submission contains "JavaScript", it is considered an XSS attack.
2. Reliable input validation of all user submissions, including URLs, query keywords, HTTP headers, post data, etc., only accepted within a specified length range, in the appropriate format, with the expected character of the content submitted, to the other filter.
3. Implement session markers (session tokens), CAPTCHA system, or HTTP reference header checks to prevent functionality from being performed by third party websites.

- （3）WebServer支持哪些动态语言- ASP、PHP、JSP、Python## 实验过程记录### webgoat- 开启webgoat:```java -jar webgoat-container-7.0.1-war-exec.jar```- 在浏览器上访问```localhost:8080/WebGoat```，登录![](https://images2018.cnblogs.com/blog/1071578/201806/1071578-20180602165111495-1976490617.png)### XSS攻击#### Phishing with XSS- 这个题目我们要在搜索框中输入XSS攻击代码：

```

• After you enter the attack code in the search box and click Search, you will see a form that asks for your username and password, enter your username and password, click Sign In, and Webgoat will capture and feed you the information you have entered:

Reflected XSS-reflex XSS attack

• In the code box, type "'

20155207 "Cyber Confrontation" EXP9 Web Security Foundation