EXP9 Web Security Fundamentals 20154305 Qi Shuai One, the experiment requires the objective of this practice to understand the basic principles of commonly used network attack technology. Webgoat in practice related experiments:
FQ
Webgot
Burpsuite
Injection Flaws
Cross-site Scripting
Ii. practice Process 1. Installing Webgoat
WebGoat是由著名的OWASP负责维护的一个漏洞百出的J2EE Web应用程序,这些漏洞并非程序中的bug,而是故意设计用来讲授Web应用程序安全课程的。这个应用程序提供了一个逼真的教学环境,为用户完成课程提供了有关的线索。因为WebGoat是基于java开发的软件,所以需要JDK环境,还需要下载一个WebGoat.jar包.
As for the download of this Webgoat.jar package really took a long time, because the Internet to find the download link has been wall, this link you can try it, the last fee Dickens turned over the wall, download good jar and JDK I put in the Baidu Cloud.
Take a look ha, I really fq, now but the situation of crackdown, I free FQ is not easy ah ~fq software called blue Light, also quite reliable, ha ha ~
When the jar package is downloaded, put it in Kali and type
java -jar *.jar
Wait for it, * for the file name.
Open Firefox, type
127.0.0.1:8080/WebGoat
(note case), register a user can be ~
Sad, is all in English, I really big head ~ also need to rely on translation software understanding is not a word of things ...
2.Injection Flaws
The problem is that you enter your name and you get relevant information.
As above, use the universal formula to get all the information of everyone ~ Note that this is a string injection. The next question is to enter the user ID to get information, as well as enter a permanent, digital injection, get all the information.
SQL Injection Advanced:
The request through Smith's information union to get Dave's password, according to the prompt information can be Stored User password table named User_system_data, listed as password. First type
Smith‘ order by 7--
, as below, can get the correct feedback information
Type
Smith‘ order by 8--
, get error feedback, stating that the number of columns is 7.
Based on the above information, type
Smith‘ union select null,null,null,null,null,null,null from user_system_data --
The federated query determines the location of the data echo.
Type
Smith‘ union select null,user_name,password,null,null,null,null from user_system_data --
Gets the password for Dave.
Input
Dave
The password, correct ~
3.BurpSuite
BurpSuite是用于攻击web应用程序的集成平台。它包含了许多工具,并为这些工具设计了许多接口,以促进加快攻击应用程序的过程。所有的工具都共享一个能处理并显示HTTP消息,持久性,认证,代理,日志,警报的一个强大的可扩展的框架。通过代理服务器可以截获http报文进行修改。
Kali himself with this thing, the program inside a search on the line, open.
To configure the native Burpsuite, select Add in Proxy->option:
To set up a browser for proxy:
4.cross-site scripting the problem is that you open two of the same page, and then insert a section of JS code, display a cookie, compare the two values are the same:
After comparison, two values are the same, so enter Yes, through ~!
The first step is to ask you to find the coupon code in a shopping cart payment interface, give yourself a discount
As above, we look at the source code of the Web page to find the function of judging the coupon. Find coupon Specific functions:
View Coupon Value: PLATINUM
Enter the coupon code in the payment interface to complete the first step:
The second step, the requirements of the whole free, directly change the value of 0 ah, ha ha.
Can see really don't have money, finish. It's amazing.
Third, the loophole principle and prevention 1. SQL injection-The principle is that by inserting a SQL command into a Web form to submit or entering a query string for a domain name or page request, the result is to spoof the server to execute a malicious SQL command. Specifically, it is the ability to inject (malicious) SQL commands into the background database engine execution using existing applications, which can be obtained by entering (malicious) SQL statements in a Web form to a database on a Web site that has a security vulnerability, rather than executing the SQL statement as the designer intended. -Defense (1) Check the variable data type and format if your SQL statement is similar to where id={$id}, and all the IDs in the database are numbers, then you should check to make sure that the variable ID is int type before SQL is executed, and if you accept the mailbox, Then you should check and strictly ensure that the variable must be the format of the mailbox, other types such as date, time and so on is also a reason. Summing up: As long as there are fixed-format variables, before the SQL statement execution, you should strictly follow the fixed format to check, to ensure that the variables are the format we expected, which can largely avoid SQL injection attacks. (2) Filter special symbols for variables that cannot be determined in a fixed format, be sure to filter or escape special symbols. In PHP, for example, the Addslashes function is usually used, which adds a backslash escape before the specified predefined character, which is the single quotation mark (') Double quotation mark (") backslash () NULL. (3) Binding variables, using precompiled statements MySQL's MYSQLI driver provides support for precompiled statements, and different programming languages, each with a method of using precompiled statements. The advantage of this is that if I enter the password: ' or 1 = ' 1, then he will only be treated as a password and will not be associated with the other structure of the SQL statement 2. XSS attack-The principle that a malicious attacker inserts malicious script code into a Web page, and the program does not filter the user's input, and when the user browses to the page, the script code embedded inside the Web is executed to achieve the special purpose of the malicious attacker. -Defense One method is to filter the required parameters before the form submission or URL parameters are passed, the input aspects of all user submissions for reliable input validation, the submission includes URLs, query keywords, HTTP headers, post data, etc. in the output, in the user's input content use
<XMP>
tags, the contents of the label will not be explained, directly displayed. Strictly enforce character input word control, because the XSS code is often many, so the number of characters to control 3. csrf-principle Cross-site request forgery, an attacker steals your identity and sends a malicious request in your name. The things that CSRF can do include: sending emails in your name, texting, stealing your account, and even buying goods, problems with virtual currency transfers include: personal privacy leaks and property security. -Defense (1) The verification code can be included in some sensitive operation, the verification code to confirm the user identity (2) TOKENCSRF can attack success, the root cause is: the operation of the parameters are assumed by the attacker. Now that we know the root cause, we have the right remedy and use token. When passing parameters to the server, take the token. This token is a random value and is held by both the server and the user. When a user submits a form with a token value, the server can verify that the token in the form and session is consistent. Iv. Experimental Summary and Impressions webgoat link, jdk link, blue light FQ link. This experiment is also the last experiment, I think it is the most difficult of the most difficult of the most difficult, first because the page (i) is (the) (English) English () () (The) (bad), increased the difficulty of the experiment, completely rely on the translation software in the life, followed by my webgoat version is relatively new, and seniors learn elder sister's not the same , did not have the reference system, can only oneself in there diligently study, finally that CSRF really does not come out. But I think my success of FQ download jar package or can add a point, I handed this early is to provide the convenience of the students in the experimental environment ~ ~ Capacity is limited please forgive me. Do so many network attack and defense experiments, really harvest a lot, are able to see the actual effect of the danger, loopholes, backdoor, virus, network security really need us to pay attention to, but also enhance my security awareness, since the back door after the experiment I put my computer camera glued up, At the same time, this course has stimulated my interest in cyber security, and I will pay more attention to this information and events in future study and work life. The teacher of this course is also different, more humane, ha ha, emmm ... Also very interesting ~ ~ ~ Life is endless, struggle not only.
EXP9 Web Security Basics