20155236 Fanchen Song _web Safety Basic Practice Directory
- Practical goals
- WebGoat
- Burpsuite
- Injection Flaws
- Cross-site Scripting (XSS)
- Summarize
Practical goals
- (1) Understand the basic principles of common network attack technology.
- (2) Webgoat experiment in practice.
WebGoat
- Webgoat is a flawed Java EE Web application maintained by the famous owasp, which is not a bug in the program, but is deliberately designed to teach Web application security courses. This application provides a realistic teaching environment that provides clues to the user completing the course.
- Because Webgoat is a Java-based software, it is platform agnostic and can be operated on a variety of operating platforms, so the system for this experiment is Kali machine
- Run the related package by entering the following command on the commands line
jar
java -jar webgoat-container-7.0.1-war-exec.jar
- Webgoat uses port 8080 by default, so you can start by seeing the prompts:
INFO: Starting ProtocolHandler ["http-bio-8080"]
Burpsuite
- Burp Suite is an integrated platform for attacking Web applications. It contains a number of tools and has designed many interfaces for these tools to facilitate the process of speeding up attacks on applications.
- Configuring the native Burpsuite
Proxy->Option
Select add
Add Item in, set proxy IP and its port (I set 8088 and 127.0.0.1), select Start after Add run
- In the browser (for example in Firefox),
Preferences->Advanced
select Settings
, tick Manual proxy configuration
, enter the IP and port you just set
- Then
Proxy->intercept
click on ' Intercept is off ' to enable proxy
Injection Flawscommand Injection
- This interface can execute system commands and return them to the user, so you should add shell commands to the request and execute
ifconfig
- Specifically, use the tool mentioned earlier to
BurpSuite
intercept the request and change its parameters to (mine is):
AccessControlMatrix.help"& ifconfig"
- Represents the execution of these 2 instructions, at the end of the page can see the results of ifconfig, successful
Numeric SQL Injection
- Requirements: Try SQL injection so that all the weather can be found
- The idea is also very simple, directly constructs the eternal truth type, can find all records
- You can either follow the idea of the previous question with a tool to modify the package, or you can directly press
F12
modify the Web page source file, you need to find the value to:101 or 1=1
- Click Go to see all the city's weather, success
Log Spoofing
- The title of the topic is to write a SQL string because the page will return you the wrong username, so our goal is to make the page return to your results as shown by your login success
- So in the user name that constructs the statement:
gq%0d%0aLogin Succeeded for username: admin
Lab:sql injectionstage 1:string SQL Injection
- According to the description, it is required that you do not know the password premise, you can also log on successfully
- That can only be injected with SQL, the use of SQL-related syntax, the use of pre-and post-
‘
closure, the formation of a permanent , the problem is more basic, a lot of construction methods, I use is‘or 1=‘1
- Note that: If the direct write forever, will exceed the character length limit, and the general ever-true style exceeds the limit of 8 characters, so you have to
F12
view the source code, the length of the password input to expand, and then inject, or you can construct a password, so as far as possible to close, such as my password, just 8 characters.
- In order to get permission, it is best to choose Admin Login, the last left column will be prompted to succeed
Stage 2:parameterized Query #1
- This did not test success, finally found that the topic has such a sentence, maybe only the development version can be successful
-
This LESSON only WORKS with the DEVELOPER VERSION of WEBGOAT
Stage 3:numeric SQL Injection
- Title: Login to Larry Account, but can view boss's information
- So first of all, based on
Stage 1
the Universal key to get Larry permissions, so we can click ViewProfile
to see the relevant information, obviously at this time only to find their own information
- But scrutiny its principle is not difficult to find the same as before, at this time to look at the boss information, in essence or query the database field for the boss of the record and output, so can still be injected on the request, the difference is that there is no input box to provide the injected string, so we have to use the previous article mentioned in the
BurpSuite
tool, block the request package at this time, construct the SQL request parameter, and employee_id
change the value to101 or 1=1
- But after testing it still shows Larry's message, guess is because the interface is too small to display only one? I can inject all the information into this, so how to make it output the first one is we want the boss information?
- Careful observation of Larry's information table can be found
Salary
in this field, indicating that the data table is also present, then for a boss to pay the highest, I can pay for the condition, the query results are sorted, the structure of the SQL statement as follows:
101 or 1=1 order by salary desc
- Success, boss salary 450k, after all boss!
Stage 4:parameterized Query #2
Stage 2
only successful on the development version.
String SQL Injection
- Requirements: You must enter the correct last name to log in
- Obviously I do not know anything, can only use the universal key to try, according to the preceding article input:
‘or 1=‘1
- Success, because for the ever-true, so any user information is seen
Database backdoors
- According to the topic request is to you to use multiple statements of SQL injection, update the data table
- Based on the previous blog's multiple statement injection exercises, here, set the following SQL statement:
101; update employee set salary=10000
- Find data sheet all personnel pay equals 10000 has been updated, successful
- The above is the first step requirements, the second step requirements: more advanced is to insert the back door, the bottom of the back door as if to create a new user will automatically modify the mailbox for your mailbox
101; CREATE TRIGGER myBackDoor BEFORE INSERT ON employee FOR EACH ROW BEGIN UPDATE employee SET email=‘[email protected]‘WHERE userid = NEW.userid
Blind Numeric SQL Injection
- Digital blinds, some times there is SQL injection, but not get the information we need, at this time can be judged by the conditions of the SQL statement, blind.
- For example, we know one
cc_number=1111222233334444
, but want to know the value of its pin in pins table, you can use the blind to burst, enter
101 AND ((SELECT pin FROM pins WHERE cc_number=‘1111222233334444‘) > 10000 );
- Open the
BurpSuite
tool to listen, capture the first request message, because we need to try again and again we can use the tool to brute force
- Right-click the message selection and
send to intruder
Intruder
Select the relevant settings below:
- In
Target
, set the native IP address host, and the port number, which is the address and port number of the Webgoat
- In the
Positions
, select the Sniper
mode, then use the cursor to select the variable that needs brute force, here is the account_number
value after, then click on the right side of the add
add (click to clear
Clear All)
- In, select the type of number
Payloads
, then set the range of changes, and set the step size to 1, so that you can pinpoint the number of packet changes, so that we are able to confirm the location
- In
Options
, select Start attack
start attack
- Find the location of packet size change
2364
, log in with 2364, success!
Cross-site Scripting (XSS) Phishing with XSS
Stored XSS Attacks
- This is the most typical example of storage-type XSS, because the user's input is not encoded, so user a can be arbitrary input, and then user B click on User A's message, triggering the XSS, resulting in the recruit
- Here's how it's done:
- Title can be arbitrary input, according to the first attempt can be found that the input can be as a hyperlink update saved in this interface, click to view the input content
- Message input messages, can embed a section of JS code, the user clicks can be triggered, such as input:
<script>alert("20145221 attack succeed!");</script>
Reflected XSS Attacks
- According to the topic can be known that this is a reflective XSS attack, similar to the first, in the location of the interactive input has an XSS vulnerability, directly constructs a script can launch an attack, for example, enter the following code to succeed:
<script>alert("20145221 attack succeed!");</script>
Cross Site Request forgery (CSRF)
- Here is an example of a storage-type XSS and CSRF combination, CSRF is an imposter login, and a code forgery request
- Here is the use of CSRF malicious code storage-type XSS on the Web page, through the message message input, the construction of malicious code as follows
<iframe src="attack?Screen=504&menu=900&transferFunds=5000"></iframe>
- When the user clicks this message, it will be triggered, showing that has been transferred 5000 yuan
- Note: The values of the screen and menu parameters above are consistent with those displayed on the right side of the site
- If you want the user to be able to
<iframe>
set the length and width parameters to 1 pixels in the case of no-sleep, it is not visible.
Summarize the principle of SQL injection attack, how to defend the principle
- is by inserting a SQL command into a Web form to submit or entering a query string for a domain name or page request, eventually reaching a malicious SQL command that deceives the server.
- Specifically, it is the ability to inject (malicious) SQL commands into the background database engine execution using existing applications, which can be obtained by entering (malicious) SQL statements in a Web form to a database on a Web site that has a security vulnerability, rather than executing the SQL statement as the designer intended.
Defense
- Check the variable data type and format
- If your SQL statement is similar
where id={$id}
to this form, all the IDs in the database are numbers, then you should check to make sure that the variable ID is int type before SQL is executed, and if you accept the mailbox, you should check and strictly ensure that the variable must be the format of the mailbox, other types such as date, Time is also a reason. Summing up: As long as there are fixed-format variables, before the SQL statement execution, you should strictly follow the fixed format to check, to ensure that the variables are the format we expected, which can largely avoid SQL injection attacks.
- Filter Special Symbols
- For variables that cannot be determined in a fixed format, special symbolic filtering or escaping is a must. In PHP, for example, it is usually used
addslashes函数
, which adds a backslash escape before the specified predefined character, which is the single quotation mark (') Double quotation mark (") backslash () NULL.
- Binding variables, using precompiled statements
- MySQL's mysqli driver provides support for precompiled statements, and different programming languages, each with a method that uses precompiled statements
- The advantage of this is that if I enter the password:
‘or 1=‘1
then he will only be treated as a password and will not be associated with other structures of the SQL statement
The principle of XSS attack, how to defend the principle
- A malicious attacker inserts malicious script code into a Web page, and the program does not filter the user's input, and when the user browses to the page, the script code embedded inside the Web is executed to achieve the special purpose of the malicious attacker.
Defense
- One way to do this is to filter the required parameters before the form commits or the URL parameters are passed.
- Reliable input validation of all user submissions on input, including URLs, query keywords, HTTP headers, post data, and more
- In terms of output, labels are used in user-input content
<XMP>
. The contents of the tag are not explained and displayed directly.
- Strictly enforce character input word control, because the XSS code is often many, so to control the number of characters
CSRF attack principle, how to defend the principle
- Cross-site request forgery, where an attacker steals your identity and sends a malicious request on your behalf.
- The things that CSRF can do include: Send mail in your name, message, steal your account, even buy goods, virtual money transfer
- Issues include: personal privacy breaches and property security.
Defense
- Verification Code
- A verification code can be added during certain sensitive operations to confirm the identity of the user
- Token
- CSRF can attack success, the root cause is: The parameters of the operation is the attacker guessed. Now that we know the root cause, we have the right remedy and use token. When passing parameters to the server, take the token. This token is a random value and is held by both the server and the user. When a user submits a form with a token value, the server can verify that the token in the form and session is consistent.
Experimental Thoughts
- In the field of security, the color of the hat is generally used to describe the hacker's good and evil, "white hat" and "Black Hat" is two completely opposing groups. For the Black hat, they can only find a point of the system to achieve the purpose of intrusion, and the white hat must be all of its own system can be breached in order to ensure the safe operation of the system.
- It seems unfair, but the rules in the safe world are like this, maybe our site 99% is well-armed and thoughtful, but as long as 1% of the local negligence, the attackers use this 1% must be able to make breakthroughs, let us another 99% in vain.
20155236 fanchen _web Security Basics Practice