Exp9 Web security infrastructure
Basic questions answered:
-
SQL Injection Attacks, how to defend?
-
SQL injection attacks is inserted through the SQL command into the Web form submit or enter the domain name query string or page request, and ultimately achieve the purpose of deception server to execute malicious SQL commands.
- For the prevention of SQL injection attacks, mainly I think we should start from the Code:
- Using the PreparedStatement precompiled statement set, which built the ability to process SQL injection, as long as the traditional method of using it setXXX value. It works only prepared to SQL injection SQL statements (compilation) process has damaging effects, and PreparedStatement ready, but the execution phase input string as data processing, instead of parsing the SQL statement preparation and, therefore, avoiding SQL injection problems;
- Use regular expressions to filter incoming parameters, some keywords that contain sql injection filtering;
- String filtration method;
- JSP call this function to check for invalid characters to prevent URL from SQL injection.
-
-
Principle XSS attack, how to defend?
- XSS is a code injection that allows a malicious user to inject code into the page, and can be successfully implemented browser, other users will be affected when viewing Web pages. Such attacks often contain HTML and the user-side scripting language. The main purpose of XSS attacks is to find ways to get cookie target of attack sites, because of cookie equivalent to have seesion, With this information you can be able to tap into the internet pc at any landing site, and in other people's identity Log in and do some damage.
- XSS defense may be the following two aspects:
- The former method is a form submission or url parameter passing, filter parameters needed;
- Check whether illegal contents user input, such as angle brackets, quotation marks and so, strict control of the output.
3.CSRF Attacks, how to defend?
- We know that XSS is a cross-site scripting attack, the attacker's script is executed in a user's browser to get their cookie and other information. The CSRF borrowed identity of the user, send a request to the web server, because the request is not the intention of the user, so called "cross-site request forgery."
- For CSRF defenses can also start from the following aspects:
- By referer, token or authentication code submitted by the user is detected;
- Try not to expose user privacy information in the links page, for users to modify or delete the best use post operation;
- Avoid generic cookie entire station, strict set a cookie domain.
Experimental Procedure:
A, WebGoat configuration
Enter https://github.com/WebGoat/WebGoat/releases/tag/7.0.1 website
Download webgoat-container-7.0.1-war-exec.jar
Input webgoat-container 7.0.1-war-exec.jar - mounted jar package java -jar
After seeing the red box on the map to open a browser login information http: // localhost: 8080 / WebGoat website.
Two, SQL injection attacks (Injection Flaws)
1. injection command (Command Injection)
- Select Injection Flaws -> Command Injection
Right-page box, select inspect Element review page elements to modify the source code, added at the end"& netstat -an" - Click to view, see the network port usage and IP addresses, the attack is successful
2. Log deceive (Log Spoofing)
-
- 选择 Injection Flaws -> Log Spoofing
- Enter the User Name js
%0d%0aLogin Succeeded for username: adminuse 0D% (Enter) and% 0A (line feed) log to appear in two rows - After entering any password and click Login, success will append the user name to the log file.
3.SQL injection (LAB: SQL Injection)
stage 1:String SQL injection
-
- Select Injection Flaws -> String SQL Injection, right page password password box, select inspect Element review page elements to modify the source code, the maximum length limit was changed to 20
-
- Neville user login, password
Smith' or '1' = '1 - The attack is successful, a list of all personnel
- Neville user login, password
4. Blind SQL injection (Blind Numeric SQL Injection)
- Information server returns a page in two ways: valid account, the account is not valid, and therefore can not simply query the PIN value account. But you can use the system in the background with the query
SELECT * FROM user_data WHERE userid=accountNumber;
if the return information account, the page will prompt the account is valid, otherwise prompt invalid. - Enter the
101 AND 1=1page returns a valid account number
-
-
Enter the
101 AND 1=2second condition is not satisfied, the page returns an invalid account number
-
-
-
Input
101 AND ((SELECT pin FROM pins WHERE cc_number='1111222233334444') > 10000 );page returns an invalid account number, description PIN <= 10000
-
-
- Several attempts to enter, enter
2364the correct PIN value
- Several attempts to enter, enter
Two, XSS attacks
1. storage-type XSS attacks (Stored XSS Attacks)
-
- In the title character in any input, message board input
<script>alert("js4303");</script>
- In the title character in any input, message board input
2. reflective XSS attacks (Reflected XSS Attacks)
-
- Enter the code
<script>alert("js4303");</script>click on the purchase page at the same time it gives feedback
- Enter the code
Three, CSRF attacks
1. CSRF (Cross Site Request Forgery (CSRF))
-
- Check the right side of the page and menu Parameters in the src value, respectively, 321 and 900
- Enter any parameters specified in the title, the input message box
<img src="http://localhost:8080/WebGoat/attack?Screen=321&menu=900&transferFunds=5000"/>
-
- 点击 Submit (其中语句中的&transferFunds=5000,即转走的受害人的金额;宽高设置成1像素的目的是隐藏该图片)
2.绕过 CSRF 确认( CSRF Prompt By‐Pass
)
-
- 查看页面右侧Parameters中的src和menu值分别为279和900
- 在title框中输入学号,message框中输入代码:
-
点击链接,攻击成功
实验感想:
这次实验难度不高,但项目比较多,因此也花费了不少时间。终于做完了最后一个实验,有点小开心,尽管说实话自己也觉得做得不怎么样,验收从没有去过,现场的确做不出来,一般要花费好几天才能搞定,因此从来没敢去验收。但将基础的东西完整地做完,我觉得自己的收获也不少。尽管过程很痛苦,但现在想起来还是挺好的。