$39.99
Web Security
The goals of this project: 2
Intro: 3
Warm Up Exercises - (20 points) 5
Target 1: XSRF (15 points) 10
Target 2: XSS Username and Password Theft (25 points) 13
Sample t2.html deliverable: 14
https://drive.google.com/file/d/1s5WmU6Ygu8CTl0VfIQeyupr9-CDZ_a6I/view?usp=sharing 14
Milestones 14
Notes 14
Example of Successful Exploit 14
Target 3: SQL Injection (15 points) 16
Deliverables 16
Sample t3.html deliverable: 16
https://drive.google.com/file/d/1C8CDBSLerl-RQZZAWJm4GH1CVboKwcwN/view?usp=sharing 16
Milestones 16
Example of Successful Exploit 17
Epilogue (25 Points) 18
The goals of this project:
• Students are asked to read up on Web Security Basics and write simple web vulnerabilities using Javascript/HTML
• With their knowledge on Web Security, the students are expected to attack three targets using the following web exploits:
• Target 1 - Cross-site Request Forgery (XSRF)
• Target 2 - Cross Site Scripting (XSS)
• Target 3 - SQL Injection (SQLi)
● Students should be able to thoroughly and clearly explain the vulnerability in each target and explain the details about how to correct it as if they were writing to a development team in charge of patching the web app.Preface:
● Read Piazza – Lots of questions are answered there daily. Be sure to check there before asking a question.
CITE.
○ We will be using anti-cheating software, so you will be caught and reported to OSI.
○ You must include a Works Cited/Bibliography page in MLA format.
○ You can use easybib or citationmachine or anything else to help cite.
Intro:
To get you up to speed on the skills required to do your job, he starts off by assigning some readings and warm up exercises.
Prior Reading and Important Notes from your Mentor:
You are not required to follow the format unless specifically called out in the target (example: Activity 5 & Target 3). As long as the exploits work according to the requirements, you will receive full credit.
You are NOT submitting any PHP code in this project. Thus, your exploits should not modify the provided PHP files on the VM besides for debugging purposes. If you do happen to modify the PHP files, make sure you revert your changes when you test your exploit. We test your exploits using your submitted .html files and run them against the original, unmodified payroll server provided in the VM. This is a common mistake our interns make, so please make sure to use the original files to test your final exploits.
This project will require you to read and understand PHP (PHP Hypertext Preprocessor), which runs on a web server and responds to HTTP requests with dynamically generated pages and responses. It essentially works by taking template HTML files and filling them in by running scripts embedded in the template.
Getting Your Development Machine Set Up:
Download the virtual machine for this project here:
https://www.dropbox.com/s/sc059f077zmg5kf/websec.ova?dl=0
You have access to two users on the virtual machine:
Username Password
root root
user user
You should only use the user account to complete the project. root is provided for your convenience in case you need to install extra software or packages.
Helpful Hints from your Mentor:
part of your role will be to audit the correctness of their safeguards.
● The source code of the site can be found on the VM in /var/payroll/www. There is a bookmark added to the file manager to make your job a bit easier. We will be using Firefox
Disclaimer:
We hope you enjoy this challenging yet rewarding project. Now onto the details!
Warm Up Exercises - (20 points)
1.a - Basic HTML & PHP Questions (Ungraded but very helpful)
Your mentor explains that you should be able to answer the following questions before starting the projects. If you come to his desk and ask him any of these questions, he’ll refer you to this writeup
:)
● Describe what HTML is (including what it stands for). What is its role in a website?
● What does PHP stand for, and how is it used? What is the difference between basic HTML and PHP?
● What is the delineator for PHP code (i.e., how does the PHP interpreter know when there is server-side code to run)?
● What is SQL? What is its purpose, and with what is it used to communicate?
● How does SQL work in a website? Where is the SQL command executed? Is it done in HTML or in PHP?
● What is the DOM? What does that stand for? How does HTML support DOM and how do you access it? How does JavaScript use the DOM and do things with it?
1.b - Getting to know the browser dev tools (10 points)
You’ll be working on the next three activities within the VM using both the Chromium and Firefox browsers. The goal is to get you more familiar with the built-in browser developer tools. There is a link on your desktop to Firefox Iceweasel. To launch Chromium, open a terminal and type chromium.
● Note that Chromium only works when running as the user account and not root.
● Note that these three activities will be the only time in this entire project that you’ll use the chromium browser. You’ll find out why by working through the project. Do not try to use chromium for any other tasks.
Activity 1 - The Inspector & Console tabs
The goal of this activity is to familiarize you with the basic html inspector (elements tab) and console of the browser tools. To access these tools click F12 or use the menus within the browser to bring them up.
Launch Firefox Iceweasel and navigate to this URL → http://cs6035.gtisc.gatech.edu:5000/tools Use the inspector (elements tab) and console tabs to answer the following questions about this login screen. Note: You don’t actually log in. The page that shows up at the link IS the site you should use to answer the questions below.
1. What is the value of the ‘CanYouSeeMe’ input?
○ Do not include quotes in your answer.
2. The page references a single JavaScript file in a script tag. Name this file including the file extension.
○ Do not include the path, just the file and extension. Ex: “ajavascriptfile.js”
3. The script file has a JavaScript function named ‘runme’. Use the console to execute this function. What is the output that shows up in the console?
○ Do not include quotes in your answer.
Activity 2 - Network Tab
The goal of this activity is to familiarize you with the network activity between the browser and the server. Use the network tab to understand how HTTP requests are sent to the server and what types of data come back in the responses.
Launch Firefox Iceweasel and navigate to this URL → http://cs6035.gtisc.gatech.edu:5000/tools Open the network tab and then click on the ‘Sign In’ button. No need to provide any credentials, leave them blank. Use the network tab to answer the following questions.
1. What request method (http verb) was used in the request to the server?
2. What status code did the server return?
○ Include both the code and description. Ex: “200 Ok”
3. The server returned a cookie named ‘coffee’ for the browser to store. What is the value of this cookie?
○ Do not include quotes in your answer.
Activity 3 - Built-in browser protections
The goal of this activity is to familiarize you with basic protections that most modern browsers provide while other older ones do not.
Launch Firefox Iceweasel.
You’ve found a webpage that echoes back a query parameter you provide in the request to the server. Navigate to this URL to test it out →
http://cs6035.gtisc.gatech.edu:5000/tools/echo?payload=SampleText
1. You can do more than just echo back text. Construct a URL such that a JavaScript alert dialog appears with the text cs6035 on the screen. Submit your constructed URL and a screenshot of the page as your answer.
a. Note: It is Required that the URL you submit starts with this ->
“http://cs6035.gtisc.gatech.edu:5000/tools/echo”
b. You will lose all points if the URL doesn’t start with the string above.
2. Open chromium and try your same exploit. What error message do you see on the page that begins with ERR…?
3. Research this feature and then in your own words, describe what this security feature in chromium is and how it can help protect against attacks.
1.c - Working with HTML forms & JavaScript (10 points)
Activity 4 - Submitting forms
The goal of this activity is to familiarize you with HTML forms. You need to construct an html page that will submit a simple form to the server. Feel free to use the template below. It’s not required for this activity but highly recommended. Complete this activity from within the VM using the Firefox Iceweasel browser.
Here are your requirements for building the html file:
● The URL that you need to submit your form to → http://cs6035.gtisc.gatech.edu:5000/forms
● You need to POST the form to the server
● You need to provide a URL query parameter to your submission
○ IsHoneyPot with a value of false
● You need to provide the following form input values
○ Name: ‘MagicNumber’; Value: Any number, ex: 5
Here is a code snippet you can start with:
https://drive.google.com/file/d/1ELWaN92kau78875zgnYOz7Rbx_1vSOKc/view?usp=sharing
Once you successfully submit the form, you’ll see a message similar to the following:
“Congratulations! you've successfully finished this activity. The answer is <REDACTED>”
You MUST see this page to receive credit for this activity!
Submit the following items for this activity:
1. Copy the entire output message you see and submit that as your answer to this activity.
2. Upload activity4.html which is the form that you constructed.
Example of Successful Exploit
Our autograder is a Selenium script so it will simulate user interaction using the same exact browser and VM that you have. It will do the following for this activity:
1. Launch your activity4.html file
2. Verify that the URL of the page starts with http://cs6035.gtisc.gatech.edu:5000/
3. Verify that the text “Congratulations! you've successfully finished this activity. The answer is <REDACTED>” appears in the resulting page.
Activity 5 - Accessing the DOM with JavaScript
● You must use the template provided here. Failure to do so will result in a zero for this section.
■ https://drive.google.com/file/d/1QKD2MGlZqsrg9fmCr60H3fseQ1fdMQ3N/view?us p=sharing
● Your task is to write JavaScript in the provided function that meets each goal specified in the comments. Do not change any code outside of this function.
● Once completed, your page will look similar to the screenshot below. The values will be different when we grade your function so do not hard-code any value we’re asking you to fetch with JavaScript.
● To get started, simply download the template above and double click it. You’ll see a page launch with several TODOs. View the source and begin editing the function provided.
Example Output Expected:
Example of Successful Exploit
Our autograder is a Selenium script so it will simulate user interaction using the same exact browser and VM that you have. It will do the following for this activity:
4. Launch your activity5.html file, Note: you must use our provided template.
5. Verify that each item in the JavaScript file is correctly displaying on the page.
a. The order of the items on the page DOES matter. It must look like the screenshot above.
Target 1: XSRF (15 points)
Not wanting you to use your own bank account information (for obvious reasons) for this, Jason tells you to use some information from a script that he wrote.
get_bank_info jdoe3
Here is an example of what the script will print out:
Username: jdoe3
Account number: 962362227
Routing number: 2113956237
Deliverables
● t1.html
● Report.pdf (See Epilogue)
Sample t1.html deliverable: https://drive.google.com/file/d/1lcL8k_PgfZBegcpMdgtJ-BCszIhnzCyK/view?usp=sharing
Milestones
A successful attack earns 15 points automatically.
If you are unable to complete the task, you will earn partial credit as follows:
Points Milestone (you earn points in this order)
8 You see the “XSRF prevented” message with your exploit.
7 Able to change the account number and routing number without extra browser tabs or popups.
If you get to this point you’ve earned the full 15 points.
Notes
You can visit your web page by entering the path of your file in the browser URL bar. For example, this would be file:///home/user/t1.html assuming that your exploit lives in /home/user/. You can also simply double click to open the file in Firefox. This opens your exploit in another tab but this is OK and it works. Your actual exploit code must NOT open a new tab via JavaScript or other means. You can also open your file using the CTRL+o hotkey.
Do NOT use relative paths for site URLs in your exploits.
● WRONG -> /somefolder/somefile.php
● CORRECT -> http://payroll.gatech.edu/somefile.php
We see this every semester from a handful of students. Your exploit will fail, and you will not receive credit.
Example of Successful Exploit
Our autograder is a Selenium script so it will simulate button clicks using the same exact browser and VM that you have. It will do the following for Task 1:
6. Log into the site using a known good username and password.
7. Launch your t1.html file in the same open tab
8. Verify that the URL starts with “http://payroll.gatech.edu”
Target 2: XSS Username and Password Theft (25 points)
Now that you’ve finished your PoC exploit for the first vulnerability, Jason thinks you are ready to write one for a potentially more-severe vulnerability. He noticed that you could steal a user’s username and password. You can craft a web page such that whenever a victim, say Bob, visits the
page (by clicking the attachment in a phishing email), it will redirect him (NO popups) to http://payroll.gatech.edu/ with a malicious script injected into the page.
The web page should look as if Bob visited the site directly without going through your page. When Bob enters his login information into the page and clicks Log In, an email with his username and password will be sent. Jason asks you to craft such a PoC web page. You will have to send the email to the local user account on the virtual machine.
This attack requires an email to be sent to user on the system. The good news is that you can use hackmail:
http://hackmail.org/sendmail.php
Open the above URL from within virtual machine for instructions on how to send emails via your attack script. Any mail that the user account receives will appear in /var/mail/user. A bookmark has been added to the file manager for your convenience.
Requirements
● The attack must be performed using XSS. Providing a phishing web page will result in 0 points. The browser URL bar should contain the domain payroll.gatech.edu and not a phishing URL. If you find yourself copy and pasting html code from the payroll site into your t2.html then you’re likely heading down a very wrong path.
● The email payload should be the user’s username (login) and password separated by a single space. i.e. username password <- notice the space!
○ The sender of the email should be set to
VGFyZ2V0MkZvclN1bW1lcjIwMjAtVGhpc09uZUlzVHJpY2t5
○ Failure to follow this format will result in 0 points for this part.
● The page must be functionally identical. This means the user can log into the site in the normal fashion and will not notice any visual/functional differences. Yes, you must be able to log in to pass this test.
Deliverables
● t2.html
● report.pdf (see Epilogue)
Sample t2.html deliverable:
https://drive.google.com/file/d/1s5WmU6Ygu8CTl0VfIQeyupr9-CDZ_a6I/view?usp=sharing
Milestones
A successful attack earns 25 points automatically.
If you are unable to complete the task, you will earn partial credit as follows:
Points Milestone (you earn points in this order)
10 Can inject a script and send an email to the user account
10 Steal the user’s username and password and send them to the user account via email.
Caution: The values need to be exactly correct. Extra spaces, quotes or anything WILL result in point loss.
5 The exploited web page is cosmetically identical to the original website.
Notes
Initially there is not a mail file on the VM. We suggest playing around with hackmail outside of your exploit to make sure you can generate a mail file. You’ll simply see a file named “user” show up in the location detailed above. Right click it and open with gedit to view the contents. You can delete the file and hackmail will generate a new one each time you exploit the site. This makes it much easier to debug than scrolling a lot in the user file. Delete, exploit to create it and then validate your payload.
Use the developer tools built into Firefox. Simply click F12 in Firefox and you’ll see the dev tools pop up at the bottom. This tool is your friend, get to know it and use it to help you through this task.
Example of Successful Exploit
Our autograder is a Selenium script so it will simulate button clicks using the same exact browser and VM that you have. It will do the following for Task 2:
1. Open your t2.html file and verify that the URL of the page is correct and that it is cosmetically identical to the original site. See screenshot below.
2. Input a known good username
3. Input a known good password
a. Note: Your code does not need to handle invalid username and/or password.
We’ll only test happy path.
4. Click the Log In button
5. Inspect the file system for the user file
6. Validate that the user file contains username and password and that the sender is VGFyZ2V0MkZvclN1bW1lcjIwMjAtVGhpc09uZUlzVHJpY2t5 See screenshot below.
7. Ensures that the user is logged in correctly. Your exploit cannot break the login functionality of the site.
After visiting t2.html, the web page should look exactly the same as the legitimate site. Notice there are no cosmetic differences!
The email should be sent via hacker mail.
Target 3: SQL Injection (15 points)
Impressed with how much you’ve learned so far (and in so little time), Jason thinks he can entrust you to create a final PoC HTML webpage with the following requirements to show the website developers how easy it is to bypass their site’s authentication:
● The crafted page has a text field for the username and a submit button. ○ NO password field!
● Do NOT execute destructive SQL commands such as DROP tables. System administrators can easily detect data loss!
● The id of the input field must be set to targetlogin, and the button id must be exploit. This is very important as the autograder specifically looks for these elements. Failure to include them will result in a zero for this target. Example:
<input name="login" id="targetlogin" value="username" /> <button id="exploit">Hold onto your butts!</button>
Deliverables
● t3.html
● report.pdf (see Epilogue)
Sample t3.html deliverable:
https://drive.google.com/file/d/1C8CDBSLerl-RQZZAWJm4GH1CVboKwcwN/view?usp=sharing
Milestones
A successful attack earns 15 points automatically (so long as it does not execute destructive SQL commands).
If you are unable to complete the task, you will earn partial credit as follows:
Points Milestone (you earn points in this order)
10 Able to log in as any user that exists on the system with no password.
5 The exploited web page is cosmetically & functionally identical to the original website. If you get to this
point you’ve earned the full 15 points.
If you implemented the attack with a destructive SQL command that causes our scripts to fail to grade your target you’ll not receive points for this Task. You will not need to modify the database schema in any way in order to exploit this.
Example of Successful Exploit
Our autograder is a Selenium script so it will simulate button clicks using the same exact browser and VM that you have. It will do the following for Task 3:
1. Launch your t3.html file in Firefox. See screenshot below.
2. Find the targetlogin input field and replace whatever text is there with a known good username
3. Find the exploit submit button and click it
4. Inspect the resulting redirected page to ensure it is the correct page, see screenshot below, and that the user is successfully logged in.
5. Ensure that the resulting redirected page is cosmetically & functionally identical to the original site.
After visiting t3.html, the page displays an input field for the attacker.
After typing in the username of an existing user in the payroll system, you should be successfully logged in. The site should function as if logged in legitimately.
Epilogue (25 Points)
Your first assignment at Red Team Inc. has gone great! You’ve learned a ton about application security from writing all of these PoCs. However, you’re not done yet apparently. Jason walks across your open office space, cold-brew coffee in-hand, to give you one more assignment.
He tells you that while writing all these PoCs has helped you learn a whole lot, the main goal here is to educate the owners of the website and the developers who wrote it. While the PoCs are an extremely important component in proving to them that they have a problem and what the scope of the problem is, you need to spend some time in documenting the vulnerabilities and how they can be fixed.
The final deliverables:
Filename Description
report.pdf You are required to use the official template for all written answers: The template is in Google doc format and located here: https://drive.google.com/file/d/17A1KCZK_JJ4A63AVVBQRPM-WH3t U0in3/view?usp=sharing
Feel free to copy that Google Doc into your own Google drive or use another application such as Microsoft Word. The final submitted version needs to be a PDF.
activity4.html Warmup HTML page for activity 4
activity5.html Warmup HTML page for activity 5
t1.html Crafted HTML page for Target 1
t2.html
Crafted HTML page for Target 2
t3.html Crafted HTML page for Target 3
DO NOT ZIP THE FILES! – This will cause point loss. (10 Points)
Acknowledgements
Rubric Points Totals
✓
1. Warmup Exercises 20
i. Activity 1: Input Value 1
ii. Activity 1: Javascript File 1
iii. Activity 1: Function Output 1
iv. Activity 2: HTTP Verb 1
v. Activity 2: Status Code 1
vi. Activity 2: Cookie Value 1
vii. Activity 3: URL and Screenshot 2
viii. Activity 3: Error Message 2
ix. Activity 3: Security Feature Explanation 2
x. Activity 4: activity4.html 4
xi. Activity 5: activity5.html 4
2. XSRF 15
i. You see the “XSRF prevented” message with your exploit. 8
ii. Able to change the account number and routing number without extra browser tabs or popups. If you get to this point you’ve earned the full 15 points. 7
3. XSS Username and Password Theft 25
i. Can inject a script and send an email to the user account. 10
ii. Steal the user’s username and password and send them to the user account via email. 10
iii. The exploited web page is cosmetically identical to the original website. 5
4 SQL Injection 15
i. Able to log in as any user that exists on the system with no password. 10
ii. The exploited web page is cosmetically identical to the original website. If you get to this point you’ve earned the full 15 points. 5
5 Epilogue 25
i. The correct lines/issues are identified for each target (2 points per target) 6
ii. A detailed description of the vulnerability for targets 1, 2, and 3 (3 points per target) 9
iii. A detailed description of how the vulnerability can be fixed for each target (2 points per target) 6
iv Describe at least two additional issues 2
v Explanation of how to safely fix the additional issues identified 2