EXP9 Web Security Basics

Source: Internet
Author: User
Tags sql injection sql injection attack csrf attack

Basic answer

(1) SQL injection attack principle, how to defend

    • The Web application does not judge the legitimacy of user input data, and an attacker can add additional SQL statements at the end of a predefined query statement in a Web application to spoof the database server to execute unauthorized arbitrary queries, thereby further obtaining the corresponding data information.

Blind SQL Injections

    • Content based SQL injections: First Test can be blind, you can get information about the database through the contents
    • Time based SQL injections

Defense methods:
Set input character detection and qualification

(2) The principle of XSS attack, how to defend
Similar to SQL injection attacks, SQL injection attacks are used as user input to query/modify/delete data, and in XSS attacks, the user's browser is controlled by inserting malicious script to obtain some information about the user.

Defense methods:

    • Encoding: HTML entity encoding for user-entered data
    • Filtering: Remove user-uploaded DOM attributes, such as onerror, and remove user-uploaded style nodes, script nodes, IFRAME nodes, and so on.
    • Correction: Avoid directly encoding HTML entity, using DOM prase conversion, and correcting mismatched dom tags.

(3) CSRF attack principle, how to defend
CSRF attack: Allow users to unknowingly attack a system they have logged in, similar to fishing

Defense methods:

    • Detects user submissions.
    • Do not expose user privacy information.
    • Use the post operation.
    • The domain in which the cookie is set strictly.
Experimental installation Webgoat0. Say in front
    • At the beginning of a variety of online installation tutorials, but also reference the Readme Tutorial (This is really very practical), halfway through the problem of chaos, and finally all resolved, to the final step, the installation of Webgoat installation, a long installation wait, the last error prompts ...... (Flip table)
    • Later found is the search of the tutorial are WEBGOAT7, the latest webgoat8 does not apply, the next step into the installation of Webgoat8 method.
1. Configure the pre-installation environment
    • Confirm that the version above jdk8.0 is installed
    • To view a command:java -version
    • No installation reference tutorial for installation
2. Download the standalone installation version on the website
    • (readme.md file is my previous attempt to install the source when the installation package comes with)
    • https://github.com/WebGoat/WebGoat/releases
    • Install command: java -jar webgoat-server-<<version>>.jar (port default is 8080)
    • Detailed steps above refer to the WEBGOAT8 installation tutorial
    • Enter the address in the browser to 127.0.0.1:8080/WebGoat open webgoat
    • The installation has been successful since webgoat

To experiment
    • Pm_silencer
    • monarchpm
Injection Flaws:sql Injection (Advanced)
    • The learning content of this section is the basic SQL and blind shot
    • After a lesson ...

Knowledge points

Basic injection
Union injection
Blind note

Through union you can execute SQL queries across tables. Basically you can contaminate (inject) the query so that it returns records for another table.

Select header, txt from news UNION all SELECT name, pass from
This query joins and returns all records for the news table and the members table.

Practice 1:pulling data from other tables
    • Title: Enter the SQL statement to find another table in the database and get the password for Dave in that table
    • Input statement:‘; select * from user_system_data--
    • You can see Dave, the guy with the code Dave.
    • Feel this watch uncomfortable, you can also search:; select password from user_system_data where user_name=‘dave‘
    • Verify
    • Success of the experiment (happy and weeping Qaq)

Practice 2:blind SQL Injections (pending)
    • Blind SQL Injections Classification
    • Content based SQL injections: First Test can be blind, you can get information about the database through the contents
    • Time based SQL injections

Experimental process:

Confirm which input box can be used for blind attack
    • (1) Try to blind SQL injections in the registration section, the test mailbox input box cannot be blind
    • (2) Try to use blind SQL injections in the login module, also invalid
    • (3) Try to register an account with the name Tom, the return message shows that Tom user already exists, indicating that Tom is in a datasheet
    • (4) Try to register an account named ' and 1=1--' for blinds (value is false), display registration success??
    • (5) Attempt to register an account with the name ' or 1=1--' for blinds (value true), showing that an account already exists
    • This allows you to determine the entry box for registered logins to use the blinds to attack
    • Also, during the attempt, it is suggested that the input length cannot be greater than 30

Confirm what data table is queried
    • Forgive blogger is a SQL semi-starter Qaq, this step has been tried for a long time has not been made out
Use the Register login input box to make a blind note
    • If the above step is made, the next steps are planned:
    • Passtom‘ and (substring((select 密码 from 数据表 where 用户名=‘tom‘),1,1)=‘a‘;--
      Keep trying and finally get Tom's password
Subsequent
    • This is my initial problem-solving idea, to do the second step on the jam, and later on the internet search, found a way
    • The previous approach is roughly the same as mine, confirming the existence of a SQL blind sign-in box, and what to do after it gives a suggestion (as if it didn't work out?). )
    • When I replace the webgoat with the Development board, try again ...

Injection Flaws:sql Injection
    • After a lesson ...

Practice 3:string SQL Injection
    • Questions and answers, such as the previous page of the tutorial on referencing the module
Practice 4:numeric SQL Injection
    • Questions and answers like, the previous page of the tutorial on referencing the module
Injection FLAWS:XXE Injection
    • Attack with XXe (XML External Entity attack) vulnerability
    • User input is parsed as XML language by the program
    • XML is often used as a storage file for program configuration files and data

    • XML Entity Classification
    • Internal entities
    • External entities (using this)
    • Parameter entities

    • Auxiliary Tutorials

Practice 5:xxe Injection
    • This allows users to make their own comments on the image, requiring the root directory of the server to be listed using the XXE injection vulnerability.
    • The way to do this is to build an XML that reads the/etc/passwd file, with the following:

      <?xml version=‘1.0‘?><!DOCTYPE any[<!ENTITY reborn SYSTEM "file:///etc/passwd">]><comment><text>&reborn;</text></comment>
    • This will eventually return to the &reborn after the value is displayed in the comment

However, since I cannot modify these, I try to enter them in the input box.

</text></comment><?xml version="1.0"?><comment><!DOCTYPE any[<!ENTITY reborn SYSTEM "file:///etc/passwd">]></comment><text>&reborn;

Make changes, but look at the results to infer that this XML syntax does not pass ...

    • And then create a new XML file on your own machine to test.
    • Say XML description can only be placed at the beginning of the file, I write this is not valid

    • Get rid of the second one and try again.
    • Is there a module in the back that repeats?
    • Try only one comment module
    • It seems to be.

    • Try again in the input box:

      </text></comment><comment><!DOCTYPE any[<!ENTITY reborn SYSTEM "file:///etc/passwd">]></comment><text>&reborn;
    • Or not ..., it's still going to be on the board.
    • Expected effect
    • Resources

Authentication FLAWS:JWT Tokens
    • JWT Tokens Format:header.claims.signature
    • Attack principle: In step 5 You can get the relevant information
Practice 6:JWT Cracking
    • Decoding it on the Base64 decoding website results in the following:
    • You can see that this user is Tom, who has the authority of the supervisor, the project owner
    • The topic requires a different user, re-signed after the input, but the question is, how to get the private key ..., which data table this query ...

Authentication Flaws:password Reset Practice 7:security Questions
    • Problem description
    • Get another user's password by a known user name password
    • Try it based on known information.
Cross-site Scripting (XSS): Cross Site Scripting
    • By inserting malicious code into the page link, the attacker could steal user information when the victim browsed the page.
    • Classification: Persistent cross-site (storage), non-persistent (reflective), Dom-based cross-site.
Practice 8:using Chrome or Firefox

Ask to open a label with the same URL as the current page, enter a statement under two tags to javascript:alert(document.cookie); see what the two cookies are.

    • You can see that their jsessionid are the same.

Practice 9:reflected XSS

Required to find an input box that can use XSS attacks

    • Try to succeed

Insecure Deserialization:insecure deserialization Knowledge points

What is serialization
Deseralization is the opposite of the former.

    • Only data is seialized. Code is not serialized itself.
    • Deserialization creates a new object and copies all the data from the byte stream.
Request Forgeries:cross-site Request Forgeries
    • CSRF: CSRF occurs when a malicious website causes a user's browser to perform a harmful behavior at a trusted site.

    • In contrast to XSS, XSS leverages a user's trust in a particular site, while CSRF uses a site to trust a user.

    • Learn more about

Client Side:client Side filtering
    • Client filtering
    • Tutorial Reference
Practice 10:salary Manager
    • Request to find hidden manager information
    • Method: View the source code, where the table content corresponds to the code

EXP9 Web Security Basics

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.