Web attacks and security: SQL injection and cross-site scripting (XSS)

License

This work by Z. Cliffe Schreuders at Leeds Beckett University is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

Contents

General notes about the labs

Preparation

Introduction to web attacks and security

Understanding Web traffic

Using a local Web proxy to intercept and modify Web traffic

Working with WebGoat

Conclusion

General notes about the labs

Often the lab instructions are intentionally open ended, and you will have to figure some things out for yourselves. This module is designed to be challenging, as well as fun!

However, we aim to provide a well planned and fluent experience. If you notice any mistakes in the lab instructions or you feel some important information is missing, please let me (Cliffe) know and I will try to address any issues.

Preparation

As with all of the labs in this module, start by loading the latest version of the LinuxZ template from the IMS system. If you have access to this lab sheet, you can read ahead while you wait for the image to load.

To load the image: press F12 during startup (on the blue boot screen) to access the IMS system, then login to IMS using your university password. Load the template image: LinuxZ.

Once your LinuxZ image has loaded, log in using the username and password allocated to you by your tutor.

The root password -- which should NOT be used to log in graphically -- is “tiaspbiqe2r” (this is a secure password but is quite easy 2 remember). Again, never log in to the desktop environment using the root account -- that is bad practice, and should always be avoided.

Using the VM download script (as described in the previous lab), download and start this VM:

Feel free to read ahead while the VMs are downloading.

Introduction to web attacks and security

Over time there has been a shift to writing and hosting software via the World Wide Web (WWW), and while software vulnerabilities are discovered daily, the security of critical infrastructure such as operating systems themselves is generally improving. Attacks targeting client-side applications and other services are major sources of threat. With the move to Web-based software comes a plethora of new categories of vulnerabilities, such as programming errors common in Web apps.

Many Web apps are written by programmers who are not aware of the security issues, and consequently in many cases organisations develop bespoke software that is vulnerable to attack. These flaws often allow attackers to access or modify databases or attack other users of the website.

Understanding Web traffic

At its most basic, HTTP is a simple protocol that involves a client (for example a Web browser, such as Firefox or Chromium) making requests for web pages from the server (such as Apache or IIS).

This can be visualised, by talking to a Web server using a simple TCP tool such as Netcat.

Open a terminal (“Applications” menu, “Accessories”, “Terminal”), and run:

nc localhost 80

The Netcat process will connect to the Apache server running locally, and now you can type in commands to send to the server. Type:

GET / HTTP/1.1

Host: example.com

Press the Return key twice.

Tip: after starting Netcat you will need to type the above quickly, or copy and paste.

The server will respond with the HTML for a webpage. This is exactly how a Web browser works, except that the browser would take the HTML code and use it to render and display the page graphically.

Simulating the job of a Web browser using Netcat

Read through the response.

Browse to the same page using Firefox http://localhost, and right-click the page and “View Page Source”. Confirm this is the same source you obtained manually.

Using a local Web proxy to intercept and modify Web traffic

Start WebScarab (“Applications” menu, “Tools”, “WebScarab”).

Starting WebScarab

Set Firefox to proxy all traffic through WebScarab:

Edit (Menu) → Preferences → Network (Tab) → Settings.

Configuring Firefox to use WebScarab as a proxy

Select Manual proxy configuration, and configure the settings as above. Click OK.

Note that all of Firefox’s Web traffic will now be sent via the WebScarab program, which is acting as a local proxy program. This enables you to view and modify any requests send to or received from the server.

Refresh the page in Firefox (F5), and view the information that WebScarab has collected.

Click the “Proxy” tab, “Manual Edit”, and click the checkbox to “Intercept requests”.

Now back in Firefox, refresh the page.

WebScarab will intercept the request and prompt you to alter the request before it is sent to the server. Experiment by making some changes. Click “Accept changes”.

Experiment with intercepting responses: uncheck the “Intercept requests”, and check the “Intercept responses” checkbox. Reload the page (Shift-F5), and note that you can view and modify the HTML source before it reaches Firefox. Make some changes to the HTML response and click “Accept changes”.

Turn off all intercepts, by unchecking the “Intercept requests” and “Intercept responses” checkboxes.

Using local Web proxies enables a security tester to feed unexpected data through to Web servers and analyse responses, potentially exploiting Web-based software vulnerabilities, conducting attacks such as SQL injection or cross-site scripting (XSS).

Working with WebGoat

WebGoat, developed by OWASP, provides a series of lessons on web security, by presenting the user with scenarios that include deliberately insecure code. You can attack each web vulnerability to pass each scenario.

Start Webgoat: Click the “Applications” menu, “Targets”, and “WebGoat Start”.

Starting WebGoat

Logging into WebGoat

Click OK, and then scroll down and click “Start WebGoat”.

Working through WebGoat’s scenarios

Read through the Introduction and Useful Tools sections.

Work through the “General” lab activities.

Work through the “Cross-Site Scripting (XSS)” lab activities.

Work through the “Injection Flaws” lab activities.

Conclusion

At this point you have:

Congratulations!