CS6035 Intro To Info Security: Project #4 Web Security solution

$35.00

Original Work ?
Category: You will Instantly receive a download link for .ZIP solution file upon Payment

Description

5/5 - (4 votes)

Setting Up
Please download the VM from : https://www.prism.gatech.edu/˜gwang312/websec-final.ova
You should be able to open the file and set up a VM directly with VirtualBox.
The logins (username/password) are as follows:
root/root
user/user
You should only need to use user/user to complete the project, but feel free to explore using root.
Our support will be VirtualBox on major OS (Ubuntu, Windows, OSX).
Interacting with the VM
Option 1: Port forwarding and ssh
Xorg and openssh-server are set up on the VM, so you may set up port forwarding from virtualbox. This
can be done by:
Right click on VM → Settings → Network → Advanced → Port Forwarding.
Enter: name:ssh, protocol:TCP, hostport:2222 (or anything you prefer), guestport:22. Leave
others blank.
You may then ssh in with
ssh -p 2222 -X user@127.0.0.1
Other use include sshfs and scp, which you may explore yourself.
Option 2: Old fashion login.
After logging in, you should be able to start up a desktop with startx command. This will prompt up a
minimal LXDE desktop environment that is sufficient for you to complete the project. If you wish to install
more packages, you may do so with apt-get. To change resolution, you may use the xrandr command.
Georgia Tech Payroll
The site we will be exploiting in this project is payroll.gatech.edu. Please note that this is a made-up site
and does not point to a legit site in the real world. For testing purposes, you may register accounts at your
will. However, please DO NOT use your actual passwords and banking information.
The source code of the site can be found in /var/payroll/www. We will be using iceweasel, which is
provided in the VM, to test your exploits. You may also assume javascript is always enabled in iceweasel.
There are 3 targets in total (100 points). You may find the last page containing some useful tips and readings.
Submission should be 3 separate files. Good luck and have fun.
Disclaimer
This project is solely for educational purposes.
Wenke Lee or any affliliation associated with him or his research/teaching is NOT responsible in the event
of any criminal charges be brought against any individuals misusing the information in this project to break
the law.
When in doubt, please consult the TAs or Professor Lee regarding any issues.
Page 3 of 7
Web Security Intro To Info Security (Professor Wenke Lee ): Project #4
Target 1: XSRF (40 points)
You stumbled upon the GaTech payroll website and found a vulnerability. Suppose a user (let us say, Alice)
is already logged in the GaTech payroll site. You noticed that you can craft a webpage so that when Alice
visits your webpage, she gets redirected (NO popups) to the GaTech payroll page with her account number
and routing number set to some values of your choice.
Poor and living off on ramen, you decide to give it a try and craft the web page to set the banking information
to yours:
account number: 2133721337
routing number : 4242424242
The user must not see the contents of your crafted page (a split second due to browser rendering is acceptable)!
Deliverable: t1.html. Not following naming format results in an automatic failure (0 points).
Sample deliverable:

5

10
Milestones
A successful attack gains 40 points automatically.
If you are unable to complete the task, you will be paid accordingly by the milestones as follows:
• 20 points: Identify vulnerability and briefly explain why it is vulnerable. Provide it as a comment in
the top of t1.html.
• 10 points: Able to change the account and routing info.
• 10 points: Able to prevent the user from seeing your malicious webpage content.
Note: You can visit your webpage by typing the path of your file in the url bar, eg.
file:///home/user/t1.html
Page 4 of 7
Web Security Intro To Info Security (Professor Wenke Lee ): Project #4
Target 2: XSS-password theft (40 points)
You were caught! Good thing is Gatech InfoSec was curious if you can find anything else more severe, and
would let you off the hook if you help them out. You noticed that you are able to steal passwords; you can
craft a webpage such that whenever a victim (let’s say, Bob) visits the page, it will redirect (no popups) him
to http://payroll.gatech.edu/. The webpage should look as if Bob visited the site directly. When Bob types
in his user/password and hits login, an email containing the credentials will be sent. GaTech administrators
would like you to demonstrate the attack and pay you accordingly. You will have to send the mail to user
as a proof of concept.
This attack will require an email to be sent to user on the system. Good thing is you can use hackmail:
http://hackmail.org/sendmail.php (open this URL from within the vm for more instructions) to
send emails via your attack scripts. Any mail the user receives will appear in /var/mail/user.
Requirements:
• This attack must be done via XSS; providing a phishing webpage will result in 0 points.
• The format of the email payload should be ” .” ie. victim’s username followed by a space and then the victim’s password. You may assume that the username and password does not contain whitespaces. The sender should be set to ”H4x0r.”
• Redirected page must be cosmetically identical to the original page. The webpage source
can be different as long as the user can’t notice without looking at the source.
Deliverable: t2.html. Not following naming format results in an automatic failure (0 points).
Sample deliverable:

5

10
Milestones
A successful attack gains 30 points automatically.
If you are unable to complete the task, you will be paid accordingly by the milestones as follows:
• 10 points: Identify vulnerability and briefly explain why it is vulnerable. Provide it as a comment in
the top of t2.html.
• 20 points: Able to steal the username/password and send it via the mail.
• 10 points: the exploited webpage is cosmetically the same as original site.
Page 5 of 7
Web Security Intro To Info Security (Professor Wenke Lee ): Project #4
Target 3: SQL Injection (20 points)
H4x0r0rg has heard about your feat in making tons of money from GaTech by changing other people’s payroll
account. They contacted you and gave you a job, a job with a hefty sum you can’t resist. The task is to
create an html webpage, and the requirements are the following:
• They want you to craft a page with a text field for username and a submit button. (NO
password field!)
• The user of this page is not logged into GaTech payroll system, but when they enter a valid
GaTech payroll registered username (suppose it’s presidentpeterson) and hit submit, the user
will be redirected to payroll.gatech.edu/account.php logged in as presidentpeterson.
• The page should function as if it has been logged in legitimately using the proper username
and password.
• Do NOT execute destructive SQL commands eg. DROP tables. System admins can easily
detect data loss!
• The id of the input field must be ”targetlogin”, and the button id must be ”exploit”. For
example:


Deliverable: t3.html Not following naming format results in an automatic failure (0 points).
Sample deliverable:

5



10

</scr ipt>

Milestones
A successful attack gains 30 points automatically.
If you are unable to complete the task, you will be paid accordingly by the milestones as follows:
• 10 points: Identify vulnerability and briefly explain why it is vulnerable. Provide it as a comment in
the top of t3.html.
• 10 points: Actual webpage impl.
• If you implemented the attack with a destructive SQL command and causes our scripts to fail to grade
your other targets, you will not be getting any partial credits for those failed targets.
Page 6 of 7
Web Security Intro To Info Security (Professor Wenke Lee ): Project #4
Epilogue
You delivered your exploit to H4x0r0rg. They seemed quite happy, and so are you. Just the thought of not
having to work for the rest of your life seems quite enticing. But then you heard the FBIs knocking on your
door. Turns out H4x0r0rg was just a bait from the law enforcers!
Deliverable: Please do not do this in the real world.
Helpful Readings/ Hints
• This assignments requires form submission. If you do not know how to do so, you may consult
http://www.w3schools.com/html/html_forms.asp.
• This assignment (especially for target 3) may require some javascripting. Only a very basic knowledge
is needed. You may find http://eloquentjavascript.net/ useful if you’re completely new to
javascript.
• You do not need to know extensive SQL knowledge to complete target 3, however, it requires a little
more observation and thinking. You may find the reading here helpful: http://www.cgisecurity.
com/lib/advanced_sql_injection.pdf.
• The sample deliverables are there for your benefit/convenience. You are not required to follow the
format. As long as the exploit works according to requirements, you will receive full credit.
Acknowledgement
Special thanks to Professor V. Shmatikov for the inspiration of this project and his permission to modify/reuse his materials. You may find more about him and his research at: http://www.cs.cornell.
edu/˜shmat/
Page 7 of 7