EXP9 Web Security Basics

Source: Internet
Author: User
Tags csrf attack

First, the basic question answer 1, SQL injection principle, how to defend

SQL injection principle:
That is, by inserting SQL commands into the query string "Web Form submission" or "Input domain name" or "page request", the result is to spoof the server to execute a malicious SQL command. The design program ignores the inspection of special strings that may constitute an attack. After the background database is considered as normal SQL instructions, it is possible to perform various operations on the background database and even cause serious consequences such as destroying the backend database.

Defensive measures:
① the user's input through regular expressions, or by restricting the length.
② do not use database connections with administrator rights, and use separate permissions for each application for a limited database connection.
③ does not store confidential information in plaintext, please encrypt or hash out the password and sensitive information.
The exception information applied by ④ should give as few hints as possible, preferably using a custom error message to wrap the original error message and store the exception information in a separate table.

2, the principle of XSS attack, how to defend

XXS Attack principle:
Inserting malicious script code into a Web page, the script code embedded within the Web is executed when the user browses the page, and a seemingly secure webpage can potentially steal information such as a user's cookie or login password.

Defensive measures:
① reliable input validation of user-submitted content in terms of input.
The ② can control the input word input.
③ script execution area, prohibit input.

3, CSRF attack principle, how to defend

CSRF Attack principle:
We know that XSS is a cross-site scripting attack that executes an attacker's script in the user's browser to obtain information such as its cookie. Instead, CSRF is borrowing the user's identity to send a request to Web server because the request is not intended by the user, so it is called "cross-site request forgery".

Defensive measures:
① through Referer, token or verification code to detect user submissions;
② try not to expose the user's privacy information in the link of the page, and it is best to use post operation for the user to modify and delete the operation;
③ avoids the whole-site generic cookie and strictly sets the domain of the cookie.

Second, the experimental steps

1. First install the webgoat on the computer, and complete the configuration, the following do not repeat.

2.cross-site Scripting (XSS) Exercise 1) Phishing with XSS

This topic we want to enter the XSS attack code in the search box, using XSS to further add elements to existing pages. Let's start by creating a form that lets the victim fill in the user name and password in the form we created, add a piece of JavaScript code, read the username and password entered by the victim, and send the message to http://localhost:8080/WebGoat/ Catcher? Property=yes., the full XSS attack code is as follows:

Click Search after entering the attack code in the search box and you will see a form that asks for a password for the user name. Enter the username password, click Login, Webgoat will capture the information you entered and feedback to you:

2) Stored XSS Attacks

Our goal is to create illegal message content that can cause other users to load unexpected pages or content when they visit, and enter a string of code into the message

Once submitted, click on the post you just created, and the successful pop-up window indicates the success of the attack:

3) reflected XSS Attacks

When we enter the wrong user information, the server check input is wrong, return the error page and show us the error content:
If we use an offensive URL as an input source, such as typing, a dialog box will appear:

2.CSRF Exercise 1) Cross Site Request forgery

Our goal is to write a URL to entice other users to click, thus triggering the csrf attack, we can put the URL in the form of a picture in the message box, when the URL is not visible to other users, the user once click on the image, will trigger a CSRF event.

We enter such a string of code in the message box:

<iframe src= "attack? Screen=276&menu=900&transferfunds=confirm ">

Success:


3.Injection Flaws Exercise 1) Command injection

This topic needs to use the Firefox View source code plug-in, the upper right corner of the Firebug. First to modify the source code, such as Backdoors.help next to add "& Netstat-an & ipconfig" (I tried to try other commands, found it seems to be my format problem or how to drop, no way to run, depressed)

Click View to see that the command has been executed.

2) Numeric SQL injection

Inject the SQL string so that it can see all the weather data. Use Firebug to add or 1=1 after any value (Yong-True)

Click Go to see all the weather

3) Log Spoofing

The username we entered will be appended to the log file, so we can use a decoy to use a user named "admin" to display "successful login" in the log, and enter Wxf%0d%0alogin succeeded for username in the User name text box: Admin (password free input)

4) String SQL injection

Construct the SQL injection string based on the SELECT statement, and enter ' or 1=1 in the text box--
Click Go, the attack succeeds and all user information is displayed:

5) Lab:sql Injection

Log in, enter ' or 1=1 in the password field--for SQL injection, but login failed, the original is to limit the length of entry and exit, enter the source code (change the length to at least the length of the input)
 

↓↓↓↓↓↓↓↓↓↓↓↓

Log in successfully:

This place takes an employee ID as an index to pass parameters, enter the source code, change the value of it to 101 or 1=1 order BY salary desc--So the boss's message will be ranked first.

Then you can see the information about the boss.

6) Database backdoors

First lose a 102, get the user's information

Can be found that the input statements are not validated, it is easy to do SQL injection, input injection statement: 102; Update employee set salary=500000, which successfully raised the user's salary to 500000

Third, the experimental experience

This experiment is the last experiment of this semester, unconsciously ended this semester of study. Network attack and defense is our professional courses, the application of the widest range of computer, the difficulty is relatively high of a course. This difficulty is mainly reflected in the understanding of the principle. Perhaps I have not learned a lot of knowledge in technology, but I understand the principle of the basic precautions to do the best, to prevent hackers to the most basic and easiest way to invade my computer. Since this semester, I have been lazy in learning, thanks to the teacher's tolerance and understanding. I will try to learn from the classroom knowledge, apply to the future life!

EXP9 Web Security Basics

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.