20165229 NetSec Exp9 Web security infrastructure
First, an overview of the experiment
0.WebGoat preparation
(a) SQL injection attacks
1. injection command (the Command Injection)
2. numeric SQL injection (SQL Injection Numeric)
3. spoofing log (the Log Spoofing)
4. injection string (String SQL Injection)
. 5 .LAB: the SQL injection
6. The back door database (database backdoors)
7. The digital type blind injection (blind numeric the SQL injection)
8. The blind injection string (string blind the SQL injection)
(two) XSS attack
1.Phishing with XSS
2. XSS attacks the Stored
3.Reflected XSS attacks
(three) CSRF attack
1.Cross Site Request Forgery (CSRF)
2.CSRF Prompt By-Pass
Second, the experimental content
0.WebGoat preparations
- Since the download is too slow, I was looking for students to copy the
webgoat-container-7.0.1-war-exec.jar - Enter the directory of the file, enter the command
java -jar webgoat-container-7.0.1-war-exec.jarto runWebgoat, the end of the message appears:Starting ProtocolHandler ["http-bio-8080"]Description Open, you can viewwebgoatoccupy port 8080. Note: During the experiment the terminal can not be closed.
- In the browser input
http://localhost:8080/WebGoatinto the WebGoat login interface directly with the default user name and password to log in.
(A) SQL injection attacks
- SQL injection attacks are a common means of one of the database hackers to attack. With the development of B / S mode application development, the use of this model programmers to write applications more and more. However, due to the level and experience programmer is uneven, a significant portion of programmers writing code, there is no legitimacy input data of the user to determine the application security risk. Users can query the database of code, according to the results of the program returns, access to certain data he wants to know, which is called SQL Injection, that is SQL injection.
1. injection command (Command Injection)
- Goal: the ability to execute any system commands on the target host
Click the left bar
Injection Flaws->Command Injection, right-click the check box and select Inspect Element review page elements to modify the source code, click on the right arrow in blue below, the content is displayed, double-clickAccessControlMatrix.help, added at the end"& netstat -an & ipconfig".
Click on the top right side of the box View, see the network port usage and IP addresses, the attack was successful.
2. numeric SQL injection (Numeric SQL Injection)
- Goal: to display weather conditions.
- Click
Injection Flaws->Numeric SQL Injection,
right-click the check boxColumbia, selectInspect Elementthe review page elements to the source code value = "101" be modified, added after the city numbered 101or 1=1. - go successful attack
3. Log deceive (Log Spoofing)
- Objective: Use the username for the admin user successfully logged on display in the log.
- Click
Injection Flaws->Log Spoofing,
in theUser Namefillwebgoat%0d%0aLogin Succeeded for username: zkj20165229using a carriage return and line feed% 0A 0D% allowed two lines in the log. - Password for the default value, click Login, you can see webgoat in the Login Fail line displays, add their own zkj201652296 statement on the next line display.
4. The injection string (String SQL Injection)
- 目标:基于查询语句构造自己的SQL注入字符串,将所有信用卡信息显示出来。
- 点击
Injection Flaws->String SQL Injection,输入查询的用户名zkj' or 1=1--
,使用'提前闭合"",插入永真式1=1,且--注释掉后面的内容,这样就能select表里面的所有数据。
5.LAB: SQL Injection
- 目标:使用SQL注入绕过认证。
点击
Injection Flaws->LAB:SQL Injection,在密码框输入' or 1=1 --,登录失败,会发现密码只有一部分输入,说明密码长度有限制。
右击
Password,选择nspect Element审查网页元素对可输入密码长度进行修改。
重新输入' or 1=1 --,登录成功。
(二)XSS攻击
Stored XSS Attacks
常见于论坛等留言、用户留言创建非法的消息内容,输入一段JavaScript脚本,其被保存在数据库中,任何用户在打开网页的时候,这个脚本就会被从数据库中取出来而运行,可以导致其他用户访问非预期的页面或内容。
点击
XSS- >Stored XSS Attacks,在Title中输入20165229,留言板Message中输入<script>alert("20165229 attack succeed hhhhh!");</script>。
(三)CSRF攻击
Cross Site Request Forgery(CSRF)
- CSRF通过伪装来自受信任用户的请求来利用受信任的网站。目标:向一个新闻组发送一封邮件,邮件中包含一张图片,这个图像的URL指向一个恶意请求。
点击
XSS->Cross Site Request Forgery(CSRF),查看下方Parameters中的scr和menu值为330和900。在
Message框中输入
,以图片的的形式将URL放进Message框,这时的URL对其他用户是不可见的,用户一旦点击图片,就会触发一个CSRF事件。其中语句中的&transferFunds=5229即转走的受害人的金额,宽高设置成1像素的目的是隐藏该图片。
- 点击Submit提交,在Message List中生成以Title命名的链接。点击该链接,当前页面就会下载这个消息并显示出来,转走用户的5000元,从而达到CSRF攻击的目的。
三、回答问题
(1)SQL注入攻击原理,如何防御
所谓SQL注入,就是通过把SQL命令插入到Web表单递交或输入域名或页面请求的查询字符串,最终达到欺骗服务器执行恶意的SQL命令。
sql注入攻击是利用是指利用设计上的漏洞,在目标服务器上运行Sql语句以及进行其他方式的攻击,动态生成Sql语句时没有对用户输入的数据进行验证是Sql注入攻击得逞的主要原因。
比如登录过程,SQL语句一般为select id from users where username = '"+username +"' and password = '" + password +"',这里的username和password都是我们存取从web表单获得的数据。如果我们在表单中username的输入框中输入' or 1=1--,此时我们所要执行的sql语句就变成了select id from users where username = '' or 1=1-- and password = ''。
对SQL注入攻击的防御,主要有:
关闭或删除不必要的交互式提交表单页面;
对漏洞注入点相关代码进行代码及SQL注入关键字的过滤,以规范代码安全性;
不要在服务器端放置备份的文件以免受到感染,或备份的文件含有漏洞,造成切入点
(2)XSS攻击的原理,如何防御
览器自身可以识别简单的XSS攻击字符串,从而阻止简单的XSS攻击;从根本上说,解决办法是消除网站的XSS漏洞,这就需要网站开发者运用转义安全字符等手段。
一个原则:不相信用户输入的任何数据!
(3)CSRF攻击原理,如何防御
改良站内 API 的设计。对于发布帖子这一类创建资源的操作,应该只接受 POST 请求,而 GET 请求应该只浏览而不改变服务器端资源。
使用“请求令牌”。首先服务器端要以某种策略生成随机字符串,作为令牌(token),保存在Session里。然后在发出请求的页面,把该令牌以隐藏域一类的形式,与其他信息一并发出。在接收请求的页面,把接收到的信息中的令牌与Session中的令牌比较,只有一致的时候才处理请求,否则返回 HTTP 403 拒绝请求或者要求用户重新登陆验证身份。