20155208 Xu Zihan "Cyber Confrontation" EXP9 Web Security Foundation

20155208 Xu Zihan "Cyber Confrontation" EXP9 Web Security Basic experiment requirements

The objective of this practice is to understand the basic principles of commonly used network attack techniques. Webgoat the experiment in practice.

Experimental process

For the last time, I did not choose to try the program for the last time I did this exciting activity.

WebGoat

Webgoat is a web-based vulnerability experiment developed by the OWASP organization, which contains a variety of vulnerabilities commonly found in the web, such as cross-site scripting attacks, SQL injection, access control, hidden fields, cookies, etc.

• First we download the webgoat in the Kali, this is a jar package, because the virtual machine surface download is too slow, so I downloaded in the host after the copy to the virtual machine, then extract the files in the working directory, using the command to java -jar webgoat-server-8.0.0.M14.jar open the Webgoat:
  

• Then enter http://localhost:8080/WebGoat into the login screen in the Web page:
  

• 7.0.1 version will have a default user name and password, directly login to start the exercise

Phishing with XSS

This exercise is to say: if there is a known XSS attack on the Web page, this course will illustrate how the website supports phishing attacks

Here we simply use a login code, we as the victim entered the user name and password, we will display the information we just entered, the effect is as follows:

Attack Success!

Stored XSS Attacks

Storage XSS attacks:

It is always a good practice to clean up all the inputs, especially those that will be used later as OS commands, scripts, and database query parameters. This is especially important for content that is permanently stored somewhere in the application. Users should not be able to create message content that could cause other users to load unwanted pages or unwanted content when retrieving user messages.

XSS attack code is stored in the database, every time when the user opens this page will be executed, harmful, often words message board, every time when the user view message information is triggered. To load unexpected pages or content when users visit:

The operation steps are:

Enter some content in litle.

Then enter a string of code in the message, such as:

<script>alert("attacked by xzh ");</script>

Then click to open the post you just created:

Successful Attack!

Reflected XSS Attacks

Reflection Type XSS

However, this is non-persistent, you need to deceive users to click on the link to trigger the XSS code (the server does not have such a page and content), generally easy to appear in the search page.

The operation is as follows:

Enter an offensive URL as the input source:
<script>alert(" attacked by xzh");</script>

Attack Success!

If we enter the wrong user information, we will return the error content.

Cross Site Request forgery (CSRF)

The goal here is to send an e-mail message to newsgroups. The e-mail message contains an image whose URL points to a malicious request. In this lesson, the URL should point to the "attack" Servlet, which has a "screen" and "menu" parameter and an extra parameter "Trimefund" with any number, such as 5000. You can build a link by finding the "screen" and "menu" values in the parameters that are inserted on the right. Recipients of CSRF Mail that were certified at that time will transfer their funds. When the attack on this lesson succeeds, a green check mark appears next to the menu on the left.

Enter such a string of code in the message box

After submitting, you will see a new message in the message list, click the message, and you will see the news you want to see:

Attack Success!

CSRF Prompt By-Pass

The goal is to send an e-mail message to a newsgroup that contains multiple malicious requests: the first transfer funds, and the second request confirms the prompt that the first request triggered. These URLs should go through the screen of this csrf-prompt-by-pass course, the menu parameters, and the extra parameter "Transferfunds" with a value such as "5000" to point to the attack servlet to initiate the transfer and the string value "CONFIRM" to complete it. You can copy the course parameters from the illustration on the right to create the format as "attack?" Screen = Xxx&menu = Yyy&transferfunds = ZZZ "URL. Whoever receives this email and authenticates at that time, his funds will be transferred. When you think the attack is successful, refresh the page and you'll find the green check in the left menu.

The specific actions are:

Check the parameters First:

Add the code in the message:

 <iframe src="attack?Screen=src值&menu=menu值&transferFunds=转账数额"> </iframe><iframe src="attack?Screen=src值&menu=menu值&transferFunds=CONFIRM"> </iframe>

The attack was successful as follows:

Injection flaws Practice

SQL injection attacks pose a serious threat to any database-driven site. The method behind the attack is easy to learn, resulting in compromises that can be made from quite large to complete systems. Despite these risks, the incredible number of systems on the Internet is susceptible to this form of attack.

It is also good practice to clean up all input data, especially data used in OS commands, scripts, and database queries, in some other way, to block the threat of SQL injection.

Let's do the exercise in this respect:

Command Injection

Execute the system command on the target host, modify the source code by Firebug under Firefox, and add the Backdoors.help next to the

"& netstat -an & ipconfig"

You will then notice that the options in the box have been modified, then click View:

You can see that the command is executed and the system network connection occurs.

Numeric SQL Injection

The requirement for this exercise is that the following form allows users to view weather data. Attempt to inject an SQL string that causes all weather data to be displayed.
Now that you have successfully executed SQL injection, try the same type of attack on the parameterized query.

Still using Firebug, add or 1=1 to any value such as 101, which we used in experiment eight because it is a perpetual truth:

OK success!

Log Spoofing

This exercise is a boost to the attack by adding a script to the log file.

The gray area below represents what will be logged in the Web server's log file.
The goal is to make the login successful like the "admin" username.

The specific actions are:

In the User Name text box, type:

xzh%0d%0aLogin Succeeded for username: admin

Where%0d is the carriage return,%0a is the newline character:

Click Login:

Attack Success!

String SQL Injection

In the Password field, enter

‘ or 1=1 --

SQL injection, but login failed:

The result is that the length of the page set is not enough, we have to modify the length limit:

OK, after modifying and then log in, success:

SQL injection (Stage 3:numeric SQL injection)

Using inspect to analyze this button, and found that this place is the employee ID as the index to pass the parameters, we want to reach through Larry to browse the Boss account information, the boss should generally pay the highest salary, so the value of the values to:

101 or 1=1 order by salary desc --

Here desc refers to the salary in descending order, so that the boss's information will be ranked first.

We can see the boss's salary information:

Database backdoors

First look at the user's information:

Then enter the injection statement:

101; update employee set salary=90000

Can modify the salary to 90000

Answer questions after the experiment

(1) SQL injection attack principle, how to defend

Principle: SQL Injection attack is the goal of tricking the server into executing a malicious SQL command by inserting a SQL command into a Web form to submit or entering a query string for a domain name or page request.

Defense: For the prevention of SQL injection attacks, I think the main point is to start with the code:

With precompiled statement set PreparedStatement, it has the ability to handle SQL injection, as long as it uses its Setxxx method to pass values. Its principle is that SQL injection only to the SQL statement Preparation (compilation) process has a destructive effect, and PreparedStatement is ready, the execution phase is only the input string as data processing, and no longer the SQL statements prepared for parsing, so also avoids the SQL injection problem;

Filter incoming parameters with regular expressions and filter for some keywords containing SQL injection;

Adopt the method of string filtering;

The function called in the JSP checks if it contains illegal characters and prevents SQL from being injected from the URL.

(2) The principle of XSS attack, how to defend
Principle:
XSS is a code injection that allows a malicious user to inject code into a Web page and be successfully executed by the browser, and other users will be affected when they view the page. Such attacks typically include HTML and client-side scripting languages. The main purpose of XSS attack is to find a way to obtain the cookie of the target attack website, because the cookie is equivalent to the seesion, and with this information can log on to the website in any PC that can connect to the Internet, and do some damage in the identity of others.

Defense:
One method is to filter the required parameters before the form commits or the URL parameters are passed.

Check the contents of user input for illegal content, such as angle brackets, quotation marks, etc., strictly control the output.

(3) CSRF attack principle, how to defend

Principle: Execute the attacker's script in the user's browser to obtain information such as its cookie. Instead, CSRF is borrowing the user's identity to send a request to Web server because the request is not intended by the user, so it is called "cross-site request forgery".

Defense:

Referer, token or verification code to detect user submissions;

Try not to expose the user's privacy information in the link of the page, for the user to modify the deletion and other operations preferably use post operation;

Avoid general-purpose cookies and strictly set the domain of cookies

Experiment Experience

This is the last experiment of this semester, this is on the platform to carry out a number of exercises, from all aspects of the network to strengthen the understanding and practice of attack and defense, hope that can be done after this kind of practice, can further improve their level.

20155208 Xu Zihan "Cyber Confrontation" EXP9 Web Security Foundation