20,165,107 against network technology Exp9 Web security infrastructure
Experimental requirements
The goal of this practice understand the basic principles of common network attack techniques, do no less than seven topics, including under (SQL, XSS, CSRF) Webgoat practical experiments.
Foundation Asked Questions
1, SQL injection attacks principle, how to defend
SQL Injection Attacks: is by constructing a special input passed as a parameter Web applications, enter execute SQL statements and then perform operations attacker wanted. Such as user name, password input box, enter registration number ', -, #, and other special characters, quotation marks to achieve closure, the comment section SQL statement, using the style never really realized login information for display purposes.
How Defense: check variable data types and formats; variables can not be determined on a fixed format, special symbols or escaping filtration; bind variables, using the prepared statement.
2, the principle of XSS attack, how to defend
Principle XSS attacks: Security vulnerabilities is one kind of web application attacks. The attacker to insert malicious html tag or javascript code to the Web page, when a user browses the page, or to perform certain operations, the use of user confidence in the original site, or browser to trick users into performing some unsafe operations or to other sites private information submitted by the user.
How Defense: form submission or url parameter passing in front of parameters that need to be filtered; if there are illegal contents check user input.
3, CSRF attack principle, how to defend
CSRF Attacks: Cross Site called the domain request forgery, the core essence is to steal user Session, or Cookie, because the current situation Session are the mainstream in the presence of Cookie. An attacker does not care about the victim's specific account and password, because once the user login, Session is the only user credentials, as long as the attacker can get Session, can be disguised as the victim into the server.
How Defense: detected by referer, token or authentication code submitted by the user; the station to avoid a common cookie, the cookie is provided strictly domain.
Experimental Procedure
A, WebGoat preparations
WebGoat is OWASP organization developed a platform for web application vulnerability experiment to illustrate the security vulnerabilities exist in the web application. It runs on platforms with java virtual machine and web security provides a series of tutorials to learn, to guide users to exploit these vulnerabilities to attack.
Download jar package: WebGoat-Container-7.0.1-the WAR-exec.jar
Terminate use by another process 8080 ports:
WebGoat because the default port 8080, so before opening first with netstat -tupln | grep 8080 to see if the port is occupied, if occupied, occupied port 8080 to terminate the process with the kill process ID.
A normal installation, the command line java -jar webgoat-container-7.0.1-war-exec.jar
Chrome to: localhost: 8080 / WebGoat directly with the guest password to log in to the default user name, start practicing.
Two, SQL injection attacks
1, the injection command (Command Injection)
The concept: a command injection attack to any parameter-driven site, it is a serious threat. This method of attack technology behind the technology, easy to learn, can cause damage to a wide range of system compromise.
Goal: you can execute any system commands on the target host.
How: Right-click on the page, select inspect Element review page elements to modify the source code, arbitrary code in the box in a column, right-click and choose Edit At Html modify, add "& netstat -an & ipconfig "
Click view, you can see the network port usage and the IP address of the instruction execution, the attack was successful.
2. The digital type implant (Numeric SQL Injection)
Concept : injection numeric data (eg: never really formula) to achieve the effect of the injection.
Goal : to see the example of all weather data via SQL injection strings.
Methods of operation :
Right-click on the page, select inspect Elementthe review page elements to modify the source code, add the numbers in the selected city values Valueor 1=1
Show all weather conditions illustrate the city's successful attack.
3. Log deceive (Log Spoofing)
The concept : to deceive achieve by inserting a script in the log file.
Goal : the gray area represents the contents of the record in the log of the Web server, our aim is to use the username is "admin" user successful login displayed in the log.
Methods of operation :
Click on the left Injection Flaws-> Log Spoofinguser, we will open WebGoat displayed on the table before webgoatthe attack. In the User Namefill webgoat%0d%0aLogin Succeeded for username: admin, i.e., the use of the transport %0Dand spaces %0Aallowed two lines in the log. Then we enter a password, click Login, you can see webgoatthe Login Faildisplay that line, the next line shows the statement added in our own.
4.SQL injection (LAB: SQL Injection)
Stage 1: the injection string (Stage 1: String SQL Injection)
How: Right-click on the page, select inspect Elementthe review page elements to modify the source code, the maximum length limit to 18 password password box.
Stage2: user Neville (admit) login, password hello' or '1' = '1, a list of all personnel, the attack was successful.
The injection string (String SQL Injection)
Concept : string bypass authentication by implanting
Goal : The following table allows users to view their credit card number. SQL injection attempts by all credit card information will be displayed. Try the user name is "Smith".
Operation : Username input query Smith 'or 1 = 1 - (Smith and 1 = 1 condition have become the query, the identity 1 = 1, it is possible to query all the data inside the table), to give all users credit card number, the attack was successful.
6. backdoor database (Database Backdoors)
First verify the statement, ID input in user: 101; update employee set salary = 5000, you can see the updated data.
Implanting 101; CREATE TRIGGER myBackDoor BEFORE INSERT ON employee FOR EACH ROW BEGIN UPDATE employee SET email='[email protected]'WHEREuserid = NEW.userid and create a back door.
7, the blind injection string (Blind String SQL Injection)
Goals : to find the values in the table cc_number pins in the pin field value 4321432143214321 field recording. pin field type varchar. Enter to find the value and submit achieve this title.
Operation : injecting numeric blind similar, except that the injected digital converter to a string.
For example: Enter 101 AND (SUBSTRING((SELECT name FROM pins WHERE cc_number='4321432143214321'), 1, 1) < 'M' ); get the first letter of a pin field value, and determines whether it is smaller than the letter "M"
The syntax for SUBSTRING SUBSTRING(STRING,START,LENGTH)
Use dichotomy testing, and finally get pin field.
Three, XSS attacks (Cross-Site Scripting)
1.XSS 钓鱼(Phishing with XSS)
Goal : to create a form, fill out the required user name and password. Data will be submitted tohttp://localhost/WebGoat/catche r?PROPERTY=yes&user=catchedUserName&password=catchedPasswordNam
Methods of operation :
XSS elements may be added using the existing pages, the two parts comprising:
Victims fill a form; send information server to read the script in the form of the collected to the attacker.
Write a script that reads the username and password information by an attacker entered on the form, send the information to WebGoat capture that information.
Writing table with a user name and password input box
<form name="20165107lyl"> <br> <br> <HR> <H2>This feature requires account login:</H2> <br> <br>Enter Username:<br> <input type="text" name="user"> <br>Enter Password:<br> <input type="password" name = "pass"> <br> <input type="submit" name="login" value="login" onclick="hack()"> </form>
在Search框中输入该代码,则在下面出现输入用户名和密码的表单。
接下来,我们编写一段脚本文件,一旦受害者在表单中输入用户名和密码,则信息会传给捕获这些信息的WebGoat。
在Search框中输入该代码,则出现表单。
输入用户名和密码后,我们可以看到服务器返回登录名和密码。
2.存储型XSS攻击(Stored XSS Attacks)
目标:写入非法的消息内容,可以导致其他用户访问时载入非预期的页面或内容
操作方法:在title中任意输入字符,留言板中输入<script>alert("I am 20165107lyl. You've been attacked!!!");</script>。
3. 反射型XSS攻击(Reflected XSS Attacks)
原理:攻击者利用一个脚本创建一个URL,受害者一旦点击它就会受到攻击。
在Enter your three digit access code:栏中输入脚本<script>alert("Hey! You've been attacked!");</script>,点击Purchase,成功显示警告框,内容就是我们在脚本中注入的内容。
四、CRSF攻击
1、跨站请求伪造(CSRF)
写一个URL放进Message框,使其他用户不可见,设置成一个隐藏图片,用户一旦点击就会触发一个CSRF事件;
在Message里输入<img src="http://localhost:8080/WebGoat/attack?Screen=&menu=900&transferFunds=5000" width="1" height="1" />;
点击该消息,页面就会下载这个消息并显示,就会执行转走用户的存款。
2、绕过 CSRF 确认(CSRF Prompt By-Pass)
message框中输入:
<iframe src="attack?Screen=[scr]menu=[menu]&transferFunds=5000"> </iframe>
<iframe src="attack?Screen=[scr]&menu=[menu]&transferFunds=CONFIRM"> </iframe>
查看消息,看到转账消息。
实验体会
本次实验基于Webgoat完成,实践过程中我对SQL注入、XSS和CSRF有了全新认识和理解。此次实验环节较多,所以我们一定理清实验思路,知道自己目前在做什么操作,每一步的目的是什么,下一步要做什么,最终达到什么样的实验效果,这样才能更好地理解整个攻击过程,从而更好地完成实验任务。