20155321 "Network attack and defense" EXP9 Web Security Foundation

20155321 "Network attack and Defense" EXP9 the foundation of web security

• SQL injection attack principle, how to defend
  • Principle: Add additional SQL statements at the end of a predefined SQL statement (feeling generally or on a permanent) to execute arbitrary queries to obtain the appropriate data information
  • Defense: You can control the length of the input in the background or for some special symbols, such as -- prohibit user input
• The principle of XSS attack, how to defend
  • Principle: XSS is mainly divided into storage type and reflective type. Data that exists in the stored XSS database for XSS attacks is returned to the client. If the data has not been escaped any more. rendered by the browser. Can lead to XSS attacks, and the reflected XSS sends the data that the user entered into the XSS attack, and the data is not stored in the background, nor filtered, and returned directly to the client. rendered by the browser. Can lead to XSS attacks
  • Defensive approach: filtering and escaping during input to output
• CSRF attack principle, how to defend
  • Principle: Mainly when access to site A when the user name and password, after verification, website a generates cookie information and return, at this time login site A successful, can send the request to site A. Before exiting site A, if you visit another site B, site B may return some offensive code and request access to site A; therefore, at the request of Site B, make a request to site A. However, site A does not know that the request is malicious, so it will still execute the malicious code
  • Defensive approach: I think in the page link to try not to write their own private information. This type of action for form submission uses the Post method instead of the Get method. Avoid using cookies that are common throughout the site

The experimental process opens webgoat

• Inputjava -jar webgoat-container-7.1-exec.jar
  
• When the following information appears, it indicates success
  
• In Browser input localhost:8080/WebGoat , enterwebgoat
  

1. SQL string Injection

• Use SQL injection to view ID card numbers, as prompted Smith , using Query statements to SELECT * FROM user_data WHERE last_name = ‘Smith‘ query Smith all information named
  
• Can be found, it is easy to get the name Smith of the ID card number
  
• can also construct the permanent, that is, the input ‘or 1=‘1 , the statement becomes SELECT * FROM user_data WHERE last_name = ‘‘or 1=‘1‘ , the meaning of this sentence is query lastname=‘‘ OR 1=‘1‘ , because 1 = ' 1 ' is always true, you can execute
  

2. Log spoofing

• In the User Name text box, enter the lrt%0d%0aLogin succeeded !admin effect to achieve the spoofed login, as shown in success:
  

3. Numeric SQL Injection

• You can see that this selection box is a drop-down box that cannot be modified, so you can use the Burpsuite to grab the package to modify
  
• Open the Burpsuite on the Kali desktop, select Add a port in the Burpsuite, Proxy->Options->Add then set the bound port to be 5321 , and confirm that you will add a line under Options, tick the newly formed line
  
  
• Select more tabs at the top right of the browser, select on the left side of the page, select the preference advanced network page tab, and in connection that row selectsetting
  
• Set up the proxy server and port in the popup window
  
• After setting up the agent to go back to the topic page, click Go, then enter the Burpsuite in turn select Proxy->intercept, you can see the package has been caught:
  
• Right-click send to repeater , go to the Repeater page tab, select params to change the value of station 101 or 1=1 , click Go to run, see the right side of the code can see the SQL statement in the package asSELECT * FROM weather_data WHERE station = 101 or 1=1
  
  
• Go back to the proxy Intercept is on and click on the rest of the package is not processed, back to Firefox found that has been successful
  

4. Command Injection

• We see the selection box for this topic is a drop-down box that cannot be modified on the current page, modified with the Burpsuite capture package
  
• Click View on the topic page, then go to Burpsuite, run it first in the params option on the Repeater page tab, see where the data is submitted, and show the success of the hack.
  

5. Phishing with XSS Cross-site scripting phishing attack

• Find XSS attack on webgoat OpenPhishing with XSS
  
• Enter the following code in the input box and click Search to appear in the Login box:

• In the Login box, enter the user name, password, click to log out of the box, which contains the newly entered user name, password, attack success
  

6. Stored XSS Attacks Storage type XSS attack

• Open stored XSS Attacks
  
• In the Message box, enter<script>alert("20155321linruting");</script>
  
• After submission there will be a dialog box, as shown below. Successful attack
  

7. Reflected XSS Attacks-reflex XSS attack

• A third attack that turns on XSS
  
• In the code box, enter<script>alert("20155321linruting");</script>
  
• Click on Purchase the dialog box to successfully attack
  

8. Cross Site Request forgery (CSRF)

• Open CSRF
  
• View src and menu values in page parameters
  
• Enter the number in the title box, message Enter the code in the box
  
  
• Submitted as a link 20155321
  
• Click on the name to view the user's operation information, attack success
  

9. CSRF Prompt By-Pass

• Open itCSRF Prompt By-Pass
  
• View the SRC and menu values in the parameters on the right side of the page and enter the number in the Title box, enter the code in the message box

<iframe src="attack?Screen=src值&menu=menu值&transferFunds=转账数额"> </iframe><iframe src="attack?Screen=src值&menu=menu值&transferFunds=CONFIRM"> </iframe>

• Submitted as a link 20155321
  
• Click on the name to view the user's operation information, attack success
  

Ten. Lab:sql Injection

• Use the tool to firebug display the source code of the current page and modify it directly in it
  
• Use the user Neville to log in, enter in the password field ‘ or 1=1 -- for SQL injection, I thought it would succeed, but Login failed, check the source Discovery input box to limit the length of the input characters, the maximum allowed to enter 8 characters.
  
  

Blind Numeric SQL Injection

• After the input box 101 is entered, the Operation Account number is valid is found to return, indicating that the number is legal
  
• Constructs an input statement 101 AND ((SELECT pin FROM pins WHERE cc_number=‘1111222233334444‘) > 数值 ); to determine the legal range based on the returned result
  
  
• Test using dichotomy to determine the value is 2364, enter 2364 after the crack success
  
  
  

Database backdoors

• Enter 101 to get the user's information
  
• The re-entry statement 101; update employee set salary=666666 succeeds in turning the user's salary into a 666666 success as shown in
  
• Re-enter the statement101 or 1=1;CREATE TRIGGER myBackDoor BEFORE INSERT ON employee FOR EACH ROW BEGIN UPDATE employee SET email=‘[email protected]‘ WHERE userid = NEW.userid
  , the mailbox for the new user is the one you set up when there are new users in the table
  

Experimental experience

• I think through this experiment or harvest a lot of, in the webgoat to achieve SQL injection, XSS attack and CSRF, etc. is still relatively smooth, and I think webgoat on the principle and operation of the time, you can also see the tips on the Web page, although it is in English, But at present to our English level or can understand a general, if really do not understand, put on Baidu translation is also no problem ~

20155321 "Network attack and defense" EXP9 Web Security Foundation