EXP9 Web Security Essentials 20154318 Wang Xiufei

"Cyber confrontation" Exp9 the basic practice of web security first, answer the basic question 1, SQL injection principle, how to defend

SQL injection principle:
That is, by inserting SQL commands into the query string "Web Form submission" or "Input domain name" or "page request", the result is to spoof the server to execute a malicious SQL command. The design program ignores the inspection of special strings that may constitute an attack. After the background database is considered as normal SQL instructions, it is possible to perform various operations on the background database and even cause serious consequences such as destroying the backend database.

Defensive measures:
① the user's input through regular expressions, or by restricting the length.
② do not use database connections with administrator rights, and use separate permissions for each application for a limited database connection.
③ does not store confidential information in plaintext, please encrypt or hash out the password and sensitive information.
The exception information applied by ④ should give as few hints as possible, preferably using a custom error message to wrap the original error message and store the exception information in a separate table.

2, the principle of XSS attack, how to defend

XXS Attack principle:
Inserting malicious script code into a Web page, the script code embedded within the Web is executed when the user browses the page, and a seemingly secure webpage can potentially steal information such as a user's cookie or login password.

Defensive measures:
① reliable input validation of user-submitted content in terms of input.
The ② can control the input word input.
③ script execution area, prohibit input.

3, CSRF attack principle, how to defend

CSRF Attack principle:
We know that XSS is a cross-site scripting attack that executes an attacker's script in the user's browser to obtain information such as its cookie. Instead, CSRF is borrowing the user's identity to send a request to Web server because the request is not intended by the user, so it is called "cross-site request forgery".

Defensive measures:
① through Referer, token or verification code to detect user submissions;
② try not to expose the user's privacy information in the link of the page, and it is best to use post operation for the user to modify and delete the operation;
③ avoids the whole-site generic cookie and strictly sets the domain of the cookie.

Second, the experimental process 1. Installing Webgoat

Webgoat is an application platform developed by the OWASP Organization for Web vulnerability experiments to illustrate security vulnerabilities in Web applications. Webgoat is running on a platform with a Java virtual machine, there are many training courses available, including XSS, thread safety, SQL injection, and so on, our experiment is on the Webgoat platform.

Webgoat is divided into simple version and Development Board, simple version is a Java jar package, only need to have a Java environment, we do in the command line: Java-jar 4318.jar run Webgoat

This comparison pit, because webgoat if the version you are looking for is not the same as before, you can only have an English word to check the translation. Most crucially, I found that some new problems might arise, causing the experiment to get stuck. So at first I was using the 8.0 version of Webgoat, back with the 7.0 version of Webgoat. Here thanks to Zishing classmate and Yang Zhenghui students to provide webgoat software!

Wait a while for him to unzip, and then find his bottom appears

Note You can log on to the Web page to start using webgoat

WebGoat uses 8080 ports, so on the browser to access Localhost:8080/webgoat, after entering the WebGoat, you can see a lot of questions to let us practice.

2.cross-site Scripting (XSS) Exercise 1) Phishing with XSS

This topic we want to enter the XSS attack code in the search box, using XSS to further add elements to existing pages. Let's start by creating a form that lets the victim fill in the user name and password in the form we created, add a piece of JavaScript code, read the username and password entered by the victim, and send the message to http://localhost:8080/WebGoat/ Catcher? Property=yes., the full XSS attack code is as follows:

Click Search after entering the attack code in the search box and you will see a form that asks for a password for the user name. Enter the username password, click Login, Webgoat will capture the information you entered and feedback to you:

2) Stored XSS Attacks

Our goal is to create illegal message content that can cause other users to load unexpected pages or content when they visit, and enter a string of code into the message

Once submitted, click on the post you just created, and the successful pop-up window indicates the success of the attack:

3) reflected XSS Attacks

When we enter the wrong user information, the server check input is wrong, return the error page and show us the error content:
If we use an offensive URL as an input source, such as typing, a dialog box will appear:

2.CSRF Exercise 1) Cross Site Request forgery

Our goal is to write a URL to entice other users to click, thus triggering the csrf attack, we can put the URL in the form of a picture in the message box, when the URL is not visible to other users, the user once click on the image, will trigger a CSRF event.

We enter such a string of code in the message box:

<iframe src= "attack? Screen=276&menu=900&transferfunds=confirm ">

Success:

3.Injection Flaws Exercise 1) Command injection

This topic needs to use the Firefox View source code plug-in, the upper right corner of the Firebug. First to modify the source code, such as Backdoors.help next to add "& Netstat-an & ipconfig" (I tried to try other commands, found it seems to be my format problem or how to drop, no way to run, depressed)

Click View to see that the command has been executed.

2) Numeric SQL injection

Inject the SQL string so that it can see all the weather data. Use Firebug to add or 1=1 after any value (Yong-True)

Click Go to see all the weather

3) Log Spoofing

The username we entered will be appended to the log file, so we can use a decoy to use a user named "admin" to display "successful login" in the log, and enter Wxf%0d%0alogin succeeded for username in the User name text box: Admin (password free input)

4) String SQL injection

Construct the SQL injection string based on the SELECT statement, and enter ' or 1=1 in the text box--
Click Go, the attack succeeds and all user information is displayed:

5) Lab:sql Injection

Log in, enter ' or 1=1 in the password field--for SQL injection, but login failed, the original is to limit the length of entry and exit, enter the source code (change the length to at least the length of the input)
　

↓↓↓↓↓↓↓↓↓↓↓↓

Log in successfully:

This place takes an employee ID as an index to pass parameters, enter the source code, change the value of it to 101 or 1=1 order BY salary desc--So the boss's message will be ranked first.

Then you can see the information about the boss.

6) Database backdoors

First lose a 102, get the user's information

Can be found that the input statements are not validated, it is easy to do SQL injection, input injection statement: 102; Update employee set salary=500000, which successfully raised the user's salary to 500000

Third, the experimental thoughts

This test is the last time the network attack and defense experiment, to tell the truth, thank the course, although there are many problems between the most experiments, and sometimes very collapse. But all succeeded to come over, harvest is, I understand the basic attack principle of the network, notice is the principle. We have a lot of new technology, but the principle of use, but it is a long time, understand the principle of us, in the study of new technologies will be more effective. That's why I want to thank this class.
This experiment learned a lot, understand the web of some basic attack principle, understand the attack, nature is good defense. This is also a white-guest hacker is a fun-to-do meaning.
Thanks for the teacher's lecture! Thank you classmates for your help!

EXP9 Web Security Essentials 20154318 Wang Xiufei