20155216 EXP9 Web Security Fundamentals Practice

EXP9 the basic practice of Web security Fundamentals Answer 1, SQL injection attack principle, how to defend?

1.对用户的输入进行校验，可以通过正则表达式，双"-"进行转换等。2.不要使用动态拼装sql，可以使用参数化的sql或者直接使用存储过程进行数据查询存取。3.不要使用管理员权限的数据库连接，为每个应用使用单独的权限有限的数据库连接。4.不要把机密信息直接存放，加密或者hash掉密码和敏感的信息。5.应用的异常信息应该给出尽可能少的提示。6.采取辅助软件或网站平台来检测sql注入。

2, how to defend the principle of XSS attack?

在表单提交或者url参数传递前，对需要的参数进行过滤；检查用户输入的内容中是否有非法内容，如尖括号、引号等，严格控制输出。

3, CSRF attack principle, how to defend?

通过referer、token或者验证码来检测用户提交；尽量不要在页面的链接中暴露用户隐私信息，对于用户修改删除等操作最好都使用post操作；避免全站通用的cookie，严格设置cookie的域。

Practice content about Webgoat

• Webgoat is an application platform developed by the OWASP Organization for Web vulnerability experiments to illustrate security vulnerabilities in Web applications. Webgoat is running on a platform with a Java virtual machine, there are many training courses available, including XSS, thread safety, SQL injection, and so on, our experiment is on the Webgoat platform.

Enter open Webgoat in the terminal java -jar webgoat-container-7.0.1-war-exec.jar .

The results shown for webgoat are not installed.

Use sudo apt-get install default-jre the install default jre :

Download webgoat using the command wget https://s3.amazonaws.com/webgoat-war/webgoat-container-7.0-SNAPSHOT-war-exec.jar :

To run webgoat with a command java -jar webgoat-container-7.0-SNAPSHOT-war-exec.jar :

The result webgoat does not have any functionality.

Discover the reason is that there is no Java environment under Kali, you can refer to the Java Environment Installation installation Java environment:

Installation of the Java environment is complete.

Run java -jar webgoat-container-7.0-SNAPSHOT-war-exec.jar startup Webgoat again:

XSS attack 1, Phishing with XSS

The greatest charm of cross-site scripting attacks is to hijack the user's browser through HTML injection, arbitrarily construct the HTML content that the user currently browses, and even simulate the user's current operation. The experiment here is an attack that gets a username and password.

XSS attack found in webgoat open phishing with XSS (first):

Write a front-end code that contains the user name and password:

To enter this code into the input box, click Search to appear in the following login box:

Enter the user name and password in the login box:

2. Stored XSS Attacks

Our goal is to create illegal message content that can cause other users to load unexpected pages or content when they visit, this is easy ah, in the last experiment we have done, directly in the title to lose something, and then enter a string of code in the message, such as:

After clicking Submit, click on the message list under 20155216:

3. Reflected XSS Attacks

Reflective XSS, non-persistent, you need to deceive users to click the link to trigger the XSS code (the server does not have such a page and content), generally easy to appear in the search page.

Enter the contents in the Input box:

Click Purchase:

CSRF attack

CSRF (Cross-site request forgery), Chinese name: cross-site requests forgery, also known as: one click Attack/session Riding, abbreviated as: CSRF/XSRF.

The attacker steals your identity and sends a malicious request on your behalf. The things that CSRF can do include: Send mail in your name, message, steal your account, even buy goods, virtual money transfer ... Issues include: personal privacy breaches and property security.

1. Cross Site Request forgery (CSRF)

View the SRC and menu values in the parameters on the right side of the page.

In the message box, enter the code:

Click on the Issued 20155216:

Show that the attack was successful.

2, CSRF Prompt By-Pass

In the message box, enter the code:

<iframe src="attack?Screen=src值&menu=menu值&transferFunds=转账数额"> </iframe><iframe src="attack?Screen=src值&menu=menu值&transferFunds=CONFIRM"> </iframe>

The attack was successful.

Injection Flaws

SQL injection, by inserting a SQL command into a Web form to submit or entering a query string for a domain name or page request, eventually achieves a malicious SQL command that deceives the server. Specifically, it is the ability to inject (malicious) SQL commands into the background database engine execution using existing applications, which can be obtained by entering (malicious) SQL statements in a Web form to a database on a Web site that has a security vulnerability, rather than executing the SQL statement as the designer intended.

1. Command Injection

This question is required to be able to execute the system command on the target host, we can change the source code through an extension Firebug (the logo of the bug in the top right corner) under Firefox browser, if no firebug, can be downloaded, installed, added in the Firefox Add tool. For example, add "& Netstat-an & ipconfig" next to Backdoors.help:

Select the modified value and point to view, you can see the command is executed, the system network connection situation:

2. Numeric SQL Injection

We're going to look at all the weather data by injecting a SQL string, and we've done something like this last time, as long as we add a 1=1 to our goal, we still use Firebug to add or 1=1 to any value like 101:

Check Columbia, click Go to see all weather data:

3. Log Spoofing

The user name we entered will be appended to the log file, so we can use a decoy to use a user named "admin" in the log to display "successful login" in the User Name text box entered lx%0d%0aLogin Succeeded for username: admin , where%0d is a carriage return,%0a is a newline character:

The attack was successful.

4. String SQL Injection

Construct the SQL injection string based on the SELECT statement and enter it in the text box ‘ or 1=1 -- :

5. Database backdoors

First lose a 101, get the user's information:

You can find that the input statement is not validated, it is easy to do SQL injection, input injection statement: 101; update employee set salary=5216 , successfully adjusted the user's work to 5216:

Next use the statement to 101;CREATE TRIGGER lxBackDoor BEFORE INSERT ON employee FOR EACH ROW BEGIN UPDATE employee SET email=‘[email protected]‘ WHERE userid = NEW.userid create a backdoor that overwrites all mailboxes and user IDs in the table:

Show injection success.

Experiment Summary and experience

The experiment part of time spent on the installation of Java environment and on the installation of Webgoat, may be used Kali source has problems, each environment debugging will take a lot of time.
Through the study and practice of various attacks on webgoat, I have mastered a lot of attack methods, previously just learned the corresponding theoretical knowledge, and in this experiment to get hands-on, or very interesting. The main practice areas of this experiment are the three most common attacks: XSS attacks, CSRF attacks, and SQL injection attacks. The three attacks have gained a deeper understanding through practice, and will later try to practice more attack types and conduct more in-depth research on the attacks of interest.

20155216 EXP9 Web Security Fundamentals Practice