Web attacks and security: SQL injection and cross-site scripting (XSS)



Similar documents
Firewalls and Software Updates

Vulnerability analysis

Secure Web Development Teaching Modules 1. Threat Assessment

Intrusion Detection and Prevention: Network and IDS Configuration and Monitoring using Snort

Secure Web Development Teaching Modules 1. Security Testing. 1.1 Security Practices for Software Verification

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

Web application security: Testing for vulnerabilities

SPHOL325: SharePoint Server 2013 Search Connectors and Using BCS

BSDI Advanced Fitness & Wellness Software

Massey University Wireless Network Client Configuration Mac OS X

Adobe Summit 2015 Lab 718: Managing Mobile Apps: A PhoneGap Enterprise Introduction for Marketers

Essential IT Security Testing

Web Application Vulnerability Testing with Nessus

Ethical Hacking as a Professional Penetration Testing Technique

(WAPT) Web Application Penetration Testing

Acunetix Web Vulnerability Scanner. Getting Started. By Acunetix Ltd.

Installing Windows Server Update Services (WSUS) on Windows Server 2012 R2 Essentials

Developing ASP.NET MVC 4 Web Applications MOC 20486

Getting started with OWASP WebGoat 4.0 and SOAPUI.

Developing ASP.NET MVC 4 Web Applications

Windows Clients and GoPrint Print Queues

Cyber Security Workshop Ethical Web Hacking

UP L18 Enhanced MDM and Updated Protection Hands-On Lab

If you are experiencing difficulty joining a session, determine which scenario is applicable to you and follow the recommended guidelines.

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Developing ASP.NET MVC 4 Web Applications Course 20486A; 5 Days, Instructor-led

Immotec Systems, Inc. SQL Server 2005 Installation Document

Recommended Browser Setting for MySBU Portal

MY HELPDESK - END-USER CONSOLE...

Cognos 10 Getting Started with Internet Explorer and Windows 7

Sample Report. Security Test Plan. Prepared by Security Innovation

Table of Contents HOL-PRT-1671

Professional Mailbox Software Setup Guide

WA2256 Responsive Mobile Web Development with HTML5, CSS3, JavaScript, and jquery Mobile. Classroom Setup Guide. Web Age Solutions Inc.

Application security testing: Protecting your application and data

VPN: Virtual Private Network Setup Instructions

XCM Internet Explorer Settings

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Using Virtual Machines

ESISS Security Scanner

Reference Guide for WebCDM Application 2013 CEICData. All rights reserved.

Connecting to the University Wireless Network

Download and Launch Instructions for WLC Client App Program

VPS Remote Computing. Connecting to a Windows Server for the first time. 1 Your Server has been installed. 2 Finding the login details for your Server

603: Enhancing mobile device experience with NetScaler MobileStream Hands-on Lab Exercise Guide

Elluminate Live! Access Guide. Page 1 of 7

Release Notes for Websense Security v7.2

SSL VPN Setup for Windows

Active Directory Integration for Greentree

ilaw Installation Procedure

Quick Instructions Installing on a VPS (Virtual Private Server)

13.1 Backup virtual machines running on VMware ESXi / ESX Server

Installation Guide For Choic Enterprise Edition

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

QualysGuard WAS. Getting Started Guide Version 3.3. March 21, 2014

Internet Setup Manual for Windows 95/98

Checking Browser Settings, and Basic System Requirements for QuestionPoint

Automatic Setup... 1 Manual Setup... 2 Installing the Wireless Certificates... 18

1. Building Testing Environment

Livezilla How to Install on Shared Hosting By: Jon Manning

Aventail Connect Client with Smart Tunneling

JMC Next Generation Web-based Server Install and Setup

STABLE & SECURE BANK lab writeup. Page 1 of 21

Sophos UTM Web Application Firewall for Microsoft Exchange connectivity

IP Application Security Manager and. VMware vcloud Air

Remote Desktop Web Access. Using Remote Desktop Web Access

Advanced Web Security, Lab

QuickBooks Business Accounting Software for Windows

Connecting With Lifesize Cloud

Web Application Firewall

Reference and Troubleshooting: FTP, IIS, and Firewall Information

Lab 1: Windows Azure Virtual Machines

Elluminate Live! Access Guide. Page 1 of 7

Configuring Virtual Switches for Use with PVS. February 7, 2014 (Revision 1)

Follow these steps to configure Outlook Express to access your Staffmail account:

Student BYOD - Olathe Public Schools

Velocity Web Services Client 1.0 Installation Guide and Release Notes

exacqvision Web Server Quick start Guide

Reading an sent with Voltage Secur . Using the Voltage Secur Zero Download Messenger (ZDM)

Lync for Mobile. Help Desk

SBBWU PROXY SETTING IT CENTRE How to Set a Proxy Server in All Major Internet Browsers for Windows

Deployment Guide: Transparent Mode

Digipass for Citrix VM3.0: troubleshooting guide. Creation date: 11/07/2007 Last Review: 30/11/2007 Revision number: 2

How To Create An Easybelle History Database On A Microsoft Powerbook (Windows)

Lab - Configure a Windows 7 Firewall

Connecticut Hazardous Waste Manifests Database

Mapping ITS s File Server Folder to Mosaic Windows to Publish a Website

Quick Start Guide. Installation and Setup

1. Do I need to upgrade my Broadband at Home modem firmware?

DOCUMENT MANAGEMENT SYSTEM

Quick Connect. Overview. Client Instructions. LabTech

QUANTIFY INSTALLATION GUIDE

Print Audit 6 - SQL Server 2005 Express Edition

FTP, IIS, and Firewall Reference and Troubleshooting

BSDI Advanced Fitness & Wellness Software

Transcription:

Web attacks and security: SQL injection and cross-site scripting (XSS) License This work by Z. Cliffe Schreuders at Leeds Metropolitan University is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License. Contents General notes about the labs Preparation Introduction to web attacks and security Understanding Web traffic Using a local Web proxy to intercept and modify Web traffic Working with WebGoat Conclusion General notes about the labs Often the lab instructions are intentionally open ended, and you will have to figure some things out for yourselves. This module is designed to be challenging, as well as fun! However, we aim to provide a well planned and fluent experience. If you notice any mistakes in the lab instructions or you feel some important information is missing, please feel free to add a comment to the document by highlighting the text and click the comment icon ( comments are public. ), and I (Cliffe) will try to address any issues. Note that your If you notice others are also reading the lab document, you can click the chat icon ( ) to discuss the lab with each other.

Preparation As with all of the labs in this module, start by loading the latest version of the LinuxZ template from the IMS system. If you have access to this lab sheet, you can read ahead while you wait for the image to load. To load the image: press F12 during startup (on the blue boot screen) to access the IMS system, then login to IMS using your university password. Load the template image: LinuxZ. Once your LinuxZ image has loaded, log in using the username and password allocated to you by your tutor. The root password -- which should NOT be used to log in graphically -- is tiaspbiqe2r (this is a secure password but is quite easy 2 remember). Again, never log in to the desktop environment using the root account -- that is bad practice, and should always be avoided. Using the VM download script (as described in the previous lab), download and start this VM: Web Security Dojo Feel free to read ahead while the VMs are downloading. Introduction to web attacks and security Over time there has been a shift to writing and hosting software via the World Wide Web (WWW), and while software vulnerabilities are discovered daily, the security of critical infrastructure such as operating systems themselves is generally improving. Attacks targeting client-side applications and other services are major sources of threat. With the move to Web-based software comes a plethora of new categories of vulnerabilities, such as programming errors common in Web apps. Many Web apps are written by programmers who are not aware of the security issues, and consequently in many cases organisations develop bespoke software that is vulnerable to attack. These flaws often allow attackers to access or modify databases or attack other users of the website. Understanding Web traffic

At its most basic, HTTP is a simple protocol that involves a client (for example a Web browser, such as Firefox or Chromium) making requests for web pages from the server (such as Apache or IIS). This can be visualised, by talking to a Web server using a simple TCP tool such as Netcat. Open a terminal ( Applications menu, Accessories, Terminal ), and run: nc localhost 80 The Netcat process will connect to the Apache server running locally, and now you can type in commands to send to the server. Type: GET / HTTP/1.1 Host: example.com Press the Return key twice. Tip: after starting Netcat you will need to type the above quickly, or copy and paste. The server will respond with the HTML for a webpage. This is exactly how a Web browser works, except that the browser would take the HTML code and use it to render and display the page graphically.

Read through the response. Simulating the job of a Web browser using Netcat Browse to the same page using Firefox http://localhost, and right-click the page and View Page Source. Confirm this is the same source you obtained manually. Using a local Web proxy to intercept and modify Web traffic Start WebScarab ( Applications menu, Tools, WebScarab ). Starting WebScarab Set Firefox to proxy all traffic through WebScarab:

Edit (Menu) Preferences Network (Tab) Settings. Configuring Firefox to use WebScarab as a proxy Select Manual proxy configuration, and configure the settings as above. Click OK. Note that all of Firefox s Web traffic will now be sent via the WebScarab program, which is acting as a local proxy program. This enables you to view and modify any requests send to or received from the server. Refresh the page in Firefox (F5), and view the information that WebScarab has collected. Click the Proxy tab, Manual Edit, and click the checkbox to Intercept requests. Now back in Firefox, refresh the page.

WebScarab will intercept the request and prompt you to alter the request before it is sent to the server. Experiment by making some changes. Click Accept changes. Experiment with intercepting responses: uncheck the Intercept requests, and check the Intercept responses checkbox. Reload the page (Shift-F5), and note that you can view and modify the HTML source before it reaches Firefox. Make some changes to the HTML response and click Accept changes. Turn off all intercepts, by unchecking the Intercept requests and Intercept responses checkboxes. Using local Web proxies enables a security tester to feed unexpected data through to Web servers and analyse responses, potentially exploiting Web-based software vulnerabilities, conducting attacks such as SQL injection or cross-site scripting (XSS). Working with WebGoat WebGoat, developed by OWASP, provides a series of lessons on web security, by presenting the user with scenarios that include deliberately insecure code. You can attack each web vulnerability to pass each scenario. Start Webgoat: Click the Applications menu, Targets, and WebGoat Start.

Starting WebGoat Logging into WebGoat Click OK, and then scroll down and click Start WebGoat.

Working through WebGoat s scenarios Read through the Introduction and Useful Tools sections. Work through the General lab activities. Work through the Cross-Site Scripting (XSS) lab activities. Work through the Injection Flaws lab activities. Conclusion At this point you have: Learned Web fundamentals, and simulated the actions of a Web browser using Netcat Learned about important web security concepts Conducted stored and reflected Cross-Site Scripting (XSS) attacks Conducted SQL injection attacks Congratulations!

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information