201453331 Wei Web Security Fundamentals Practice I. Experimental process 1, webgoat Open
2, injection flaws practice
Command Injection
The original page did not inject the place, then use Burpsuite (set the relevant steps other people's blog written very detailed, not tired of), analyze the first package to see his data submitted location, found after the injection of command, success. I injected the command is Accesscontrolmatrix.help "&&ifconfig", executed the ifconfig command, in view of this can prove that I operate, he cut a picture:
Numeric SQL Injection
and the command injection step is almost exactly the same, finally we modify station value from 101 for (101 or 1 = 1), we know (x or 1), regardless of the value of the previous x is what his results are true, the change succeeded
Log Spoofing
The user name entered will be appended to the log file, so we can use a decoy to use a user named "admin" to display "successful login" in the log, enter Wsc%0d%0alogin succeeded for username in the User name text box: admin, where%0d is the carriage return,%0a is a newline character, successful.
String SQL Injection
The permanent (x or 1) = 1, plus two semicolons to close the front and back of the semicolon as input, is successful.
Lab:sql Injection (Stage 1:string SQL injection)
Using the previous input to enter the discovery failed! Press F12 to see the source code of the page, find the Password input box, you will find that he limit the length (maxlenth=8), change him to 50, it succeeded.
Lab:sql Injection (Stage 3:numeric SQL injection)
First use the above method to log in, look at the source code, found that this place is the employee ID as the index to pass the parameters, we want to reach through Larry to browse the Boss account information purposes, generally speaking, the boss's salary should be the highest, so the value of which is changed to "101 or 1=1 Order By salary desc-"So the boss's message will be first, then you can view the boss's information."
Blind Numeric SQL Injection
First to find only two of the returned information: valid or invalid, then narrow the scope, OK and then in a smaller range to open the Burpsuite, set up the agent, grab a packet and then brute force (set part according to other people's blog to complete), and finally based on the difference in the length of the message to find the value.
3. Cross-site Scripting (XSS) Exercise
Stored XSS Attacks
Title randomly loses, message input a piece of code
Reflected XSS Attacks
Enter the corresponding code, this and the previous difference between the main and the previous is the existence of the server, and this is not.
Cross Site Request forgery (CSRF)
Set a URL, the other person, the trigger CSRF attack, you can put the URL in the message box, after the submission, there will be a record, you a little this record, it was attacked.
Two. Answer questions after the experiment
(1) SQL injection attack principle, how to defend
首先sql注入呢就是一种对数据库进行攻击的方式,一个编网页的程序员比较菜,那恶意用户就可以利用他编写代码时没有考虑到用户输入数据的合法性,使程序存在安全隐患。恶意用户可以提交一段数据库查询代码,根据程序返回的结果,获得某些他想得知的数据,这就是所谓的SQL注入。 进行防御,首先就是这次试验中涉及到的设定字符串的长度,不过事实上证明他没有什么卵用;采用采用字符串过滤,过滤掉一些sql注入的的关键字;除此之外,可以对在数据库中对密码进行加密,验证登陆的时候先将 密码进行加密再与数据库中加密的密码进行对比,若此时一致则基本是安全的。
(2) The principle of XSS attack, how to defend
就是跨站脚本攻击,你将恶意代码注入到网页上,那么其他用户再看这个网页也就会受影响。这种攻击主要是获得目标网站的cookie,ok那什么是cookie?cookie就是存于本地用户的数据,某些网站为了辨别用户身份、进行session跟踪;ok那么获得了这些信息之后,就可以在任意能接进互联网的pc登陆该网站,并以其他人的生份登陆,做一些破坏。 进行防御,我看懂了别人的博客,感觉挺有道理的:第一就是当恶意代码值被作为某一标签的内容显示时,在不需要html输入的地方对html标签及一些特殊字符做过滤,这样就相当于这些字符没有用,因为他不被执行,那不执行不就是防御住了;第二就是当恶意代码被作为某一标签的属性显示时,通过用将属性截断来开辟新的属性或恶意方法:属性本身存在的单引号和双引号都需要进行转码;对用户输入的html 标签及标签属性做白名单过滤,也可以对一些存在漏洞的标签和属性进行专门过滤。意思其实很简单,就是说原本的属性被转码了,用户新加的属性又会被过滤,这也是一种防御的方法。
(3) CSRF attack principle, how to defend
就是跨站请求伪造,首先要注意,他和XSS攻击截然不同!看名字就知道,他是通过伪装来自受信任用户的请求来利用受信任的网站,而XSS可以说是一种利用站点内的信任用户来进行攻击。OK有了伪造这个概念,就可以看懂下面这张图:
这个图中有一点很关键,那就是C(有A的cookie)要在没有登出A的情况下登入B 进行防御,看了一些别人的博客并查看了一些资料:第一就是Cookie Hashing(所有表单都包含同一个伪随机值),简单的说就是攻击者不能获得第三方的Cookie,所以表单中的数据也就构造失败了:在表单里增加Hash值,以认证这确实是用户发送的请求。然后在服务器端进行Hash值验证;还有一种就是用验证码的方式保护:每次用户提交都需要用户在表单中填写一个图片上的随机字符串,这个比较常见,终于知道那些网站的验证码是用来干什么的了。反正总而言之,就是要验证这个用户的身份。
Three. Experiment Summary and experience
前两种攻击方法上次实验已经涉及到了,这次就是更加深入的进行学习,明白了这些攻击方法具体是怎么回事:为什么要以这样的格式进行输入,攻击的目标分别是什么,每种攻击的区别又是什么,实验过程还是很有意思的;还有就是要加强英语水平啊,每个题目看起来有点费劲啊;最后就是做这次实验总用一种偷鸡摸狗背着别人干坏事的感觉,挺奇怪的... PS:每次代理完记着调回来,不然火狐就连不上网。
EXP9 Web Security basic practice of "cyber confrontation" 201453331 Wei